graylog 单机极速安装

使用docker-compose部署，以下为文件

mkdir -p  /data/graylog

1、docker-compose.yml

version: "3"
services:
  mongo:
    image: mongo:4.2
    command: --bind_ip 0.0.0.0
    ports:
      - "27017:27017"
    volumes:
      - /data/graylog/mongo_data:/data/db
    networks:
        - graylog
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      - "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms4096m -Xmx4096m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    deploy:
      resources:
        limits:
          memory: 5g
    networks:
        - graylog

  graylog:
    image: graylog/graylog:4.2
    user: root
    env_file:
      - docker.env
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    depends_on:
      - mongo
      - elasticsearch
    ports:
        - 9000:9000
        - 1514:1514
        - 1514:1514/udp
        - 12201:12201
        - 12201:12201/udp
    volumes:
      - /data/graylog/graylog_data:/usr/share/graylog/data
      - ./graylog.conf:/usr/share/graylog/data/config/graylog.conf
    
    networks:
        - graylog
    restart: always
        
networks:
    graylog:
      driver: bridge

2、docker.env

GRAYLOG_PASSWORD_SECRET=1234567890124456667 #要16位
GRAYLOG_ROOT_PASSWORD_SHA2=***a#####@###

TZ=Asia/Shanghai
ROOT_TIMEZONE=Asia/Shanghai
GRAYLOG_TIMEZONE=Asia/Shanghai

3、graylog.conf

is_master = true
node_id_file = /usr/share/graylog/data/config/node-id
root_timezone = Asia/Shanghai
bin_dir = /usr/share/graylog/bin
data_dir = /usr/share/graylog/data
plugin_dir = /usr/share/graylog/plugin
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://elasticsearch:9200
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
rotation_strategy = count
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = data/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://mongo/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
proxied_requests_thread_pool_size = 32

4、建目录
mkdir -p /data/graylog/{mongo_data,graylog_data}

GRAYLOG_PASSWORD_SECRET 不能少于16个字符
生成admin密码,写到GRAYLOG_ROOT_PASSWORD_SHA2
echo -n  123456 | sha256sum

5、启动

docker-compose up -d

6、配置

在graylog界面创建 input   然后选择beat那个，修改端口为1514就可以了。

7、如果读取的是以文件为格式的

使用filebeat.yml

fields_under_root: true
filebeat.inputs:
- input_type: log
  paths:
    - /data/logs/*/*.log
  type: log
   
output.logstash:
   hosts: ["127.0.0.1:1514"]
path:
  data: /var/lib/graylog-sidecar/collectors/filebeat/data
  logs: /var/lib/graylog-sidecar/collectors/filebeat/log

启动filebeat

filebeat -e -c filebeat.yml

单机极速版以上