相关文章:监控 4
Goaccess
Graylog搭建及测试
Rocky9部署Zabbix7.0监控
使用容器搭建zabbix监控
2025-03-22    2025-03-22    1317 字  3 分钟
监控

系统配置

2C8G 注意:2C 4G 会报错,内存不足,运行java失败。

graylog(9000): https://packages.graylog2.org/el/stable/6.0/x86_64

opensearch(9200): https://opensearch.org/artifacts/opensearch/opensearch-2-13-0-linux-x64-rpm.html

graylog-opensearch-mongodb 版本对应关系: https://go2docs.graylog.org/6-0/downloading_and_installing_graylog/red_hat_installation.htm

搭建过程

mongo7.0.6(27017)

1
2

docker pull docker.1ms.run/mongo:7.0.6
docker run --restart=always --name mongo -p 27017:27017 -e TZ=Asia/Shanghai --privileged=true -e MONGODB_INITDB_ROOT_USERNAME=mongo -e MONGODB_INITDB_ROOT_PASSWORD=mongo -d docker.1ms.run/mongo:7.0.6

graylog and opensearch

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

#安装opensearch
env OPENSEARCH_INITIAL_ADMIN_PASSWORD=Opensearch_2024 rpm -ivh /opt/GrayLog_install/opensearch-2.13.0-linux-x64.rpm
#单独的/data目录下创建目录用于存放opensearch数据
mkdir -p /data/opensearch/data
mkdir -p /data/opensearch/logs
chown -R opensearch /data/opensearch
sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf


cp /etc/opensearch/opensearch.yml /etc/opensearch/opensearch.yml_default
#修改opensearch相关配置文件
sed -i "s@#cluster.name: [email protected]: graylog@g" /etc/opensearch/opensearch.yml
sed -i "s@#node.name: [email protected]: graylog@g" /etc/opensearch/opensearch.yml
sed -i "s#path.data: /var/lib/opensearch#path.data: /data/opensearch/data#g" /etc/opensearch/opensearch.yml
sed -i "s#path.logs: /var/log/opensearch#path.logs: /data/opensearch/logs#g" /etc/opensearch/opensearch.yml
sed -i "s@#network.host: [email protected]: 0.0.0.0@g" /etc/opensearch/opensearch.yml
echo "discovery.type: single-node" >> /etc/opensearch/opensearch.yml
echo "action.auto_create_index: false" >> /etc/opensearch/opensearch.yml
echo "indices.query.bool.max_clause_count: 32768" >> /etc/opensearch/opensearch.yml
sed -i "s#plugins.security.ssl.http.enabled: true#plugins.security.ssl.http.enabled: false#g" /etc/opensearch/opensearch.yml
#修改JVM内存大小
sed -i "s/-Xms1g/-Xms4g/g" /etc/opensearch/jvm.options
sed -i "s/-Xmx1g/-Xmx4g/g" /etc/opensearch/jvm.options
#启动opensearch服务
systemctl daemon-reload
systemctl enable opensearch.service
systemctl restart opensearch.service
firewall-cmd --add-port=9200/tcp --permanent --zone=public 
firewall-cmd --reload 
curl -s -XGET 'http://127.0.0.1:9200/_cluster/health?pretty=true'
curl -s -XGET 'http://127.0.0.1:9200/_cat/nodes?v'
#安装graylog-server服务
rpm -ivh  /opt/GrayLog_install/graylog-server-6.0.5-1.x86_64.rpm
cp /etc/graylog/server/server.conf /etc/graylog/server/server.conf_default
#修改graylog-server相关配置文件
sed -i "s/password_secret =/password_secret = 0pAHJtPdZZUb5yHAvFbBezbWAlQwh9CbRX1rshJEVxM0kV7t0SpIgY5q9tLpVEwWLElhG3EtbvQ03mTm9i0HuvWKwlWgWiIJ/g" /etc/graylog/server/server.conf
sed -i "s/root_password_sha2 =/root_password_sha2 = 429d280c5ddad83d94770b077b22124231efc727d504b107883297304b3e2939/g" /etc/graylog/server/server.conf
sed -i "s@#root_timezone = UTC@root_timezone = Asia/Shanghai@g" /etc/graylog/server/server.conf
sed -i "s@#http_bind_address = 127.0.0.1:9000@http_bind_address = 0.0.0.0:9000@g" /etc/graylog/server/server.conf
sed -i "s/allow_highlighting = false/allow_highlighting = true/g" /etc/graylog/server/server.conf
echo "elasticsearch_hosts = http://admin:[email protected]:9200" >> /etc/graylog/server/server.conf
#修改graylog-server启动时JVM内存大小
sed -i "s/-Xms1g -Xmx1g/-Xms2g -Xmx2g/g" /etc/sysconfig/graylog-server

firewall-cmd --add-port=9000/tcp --permanent --zone=public 
firewall-cmd --reload
#启动graylog-server服务
systemctl daemon-reload
systemctl restart graylog-server
systemctl enable graylog-server

进入graylog-server 配置文件,更改对接mongodb地址:

1
2
3

cd /etc/graylog/server
vim server.conf
mongodb_uri = mongodb://192.168.112.12/graylog

重启服务:

1
2
3
4

systemctl restart graylog-server
# 看日志,观察是否连接mongodb、监听是否启动。
tail -f /var/log/graylog-server/server.log
 [JerseyService] Started REST API at <0.0.0.0:9000>

测试 graylog: http://localhost:9000 system->input 选择GELF UDP。 添加2个测试容器:

1
2
3
4
5

docker run -d \
           --log-driver=gelf \
           --log-opt gelf-address=udp://localhost:12201 \
           --log-opt tag="log-test-container-A" \
           busybox sh -c 'while true; do echo "This is a log message from container A"; sleep 10; done;'

1
2
3
4
5

docker run -d \
           --log-driver=gelf \
           --log-opt gelf-address=udp://localhost:12201 \
           --log-opt tag="log-test-container-B" \
           busybox sh -c 'while true; do echo "This is a log message from container B"; sleep 10; done;'

回到search,可以看到两个容器通过12201端口传送日志。 graylog01 也可以筛选: graylog02

更改graylog密码

1
2
3
4
5
6
7

# 使用sha256将明文密码加密
echo -n yourpassword | shasum -a 256
# 更改密码
vim /etc/graylog/server/server.conf
root_password_sha2 = 密码哈希值
# 重启服务
systemctl restart graylog-server

物理机安装graylog脚本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

#!/bin/bash
#关闭SELINUX
#sed -i 's/enforcing/disabled/g' /etc/selinux/config
#setenforce 0
#解压安装包
#mkdir -p /opt/GrayLog_install
#tar -zxvf ./GrayLog6.0.5_MongoDB6.0_OpenSearch2.13.0_EL9_RPM.tar.gz -C /opt/GrayLog_install
#cat > /etc/yum.repos.d/mongodb-org.repo << \EOF
#[mongodb-org-6.0]
#name=MongoDB Repository
#baseurl=https://repo.mongodb.org/yum/redhat/9/mongodb-org/6.0/x86_64/
#gpgcheck=0
#enabled=1
#gpgkey=https://pgp.mongodb.com/server-6.0.asc
#EOF
cd /opt/GrayLog_install
#安装mongodb-server服务
#rpm -ivh cyrus-sasl*.rpm
#rpm -ivh mongodb*.rpm

#启动mongodb-server服务
#systemctl daemon-reload
#systemctl enable mongod.service
#systemctl start mongod.service
#systemctl --type=service --state=active | grep mongod
#firewall-cmd --add-port=27017/tcp --permanent --zone=public 
#firewall-cmd --reload 

#安装opensearch
env OPENSEARCH_INITIAL_ADMIN_PASSWORD=Opensearch_2024 rpm -ivh /opt/GrayLog_install/opensearch-2.13.0-linux-x64.rpm
#单独的/data目录下创建目录用于存放opensearch数据
mkdir -p /data/opensearch/data
mkdir -p /data/opensearch/logs
chown -R opensearch /data/opensearch
sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf


cp /etc/opensearch/opensearch.yml /etc/opensearch/opensearch.yml_default
#修改opensearch相关配置文件
sed -i "s@#cluster.name: [email protected]: graylog@g" /etc/opensearch/opensearch.yml
sed -i "s@#node.name: [email protected]: graylog@g" /etc/opensearch/opensearch.yml
sed -i "s#path.data: /var/lib/opensearch#path.data: /data/opensearch/data#g" /etc/opensearch/opensearch.yml
sed -i "s#path.logs: /var/log/opensearch#path.logs: /data/opensearch/logs#g" /etc/opensearch/opensearch.yml
sed -i "s@#network.host: [email protected]: 0.0.0.0@g" /etc/opensearch/opensearch.yml
echo "discovery.type: single-node" >> /etc/opensearch/opensearch.yml
echo "action.auto_create_index: false" >> /etc/opensearch/opensearch.yml
echo "indices.query.bool.max_clause_count: 32768" >> /etc/opensearch/opensearch.yml
sed -i "s#plugins.security.ssl.http.enabled: true#plugins.security.ssl.http.enabled: false#g" /etc/opensearch/opensearch.yml
#修改JVM内存大小
sed -i "s/-Xms1g/-Xms4g/g" /etc/opensearch/jvm.options
sed -i "s/-Xmx1g/-Xmx4g/g" /etc/opensearch/jvm.options
#启动opensearch服务
systemctl daemon-reload
systemctl enable opensearch.service
systemctl restart opensearch.service
firewall-cmd --add-port=9200/tcp --permanent --zone=public 
firewall-cmd --reload 
curl -s -XGET 'http://127.0.0.1:9200/_cluster/health?pretty=true'
curl -s -XGET 'http://127.0.0.1:9200/_cat/nodes?v'
#安装graylog-server服务
rpm -ivh  /opt/GrayLog_install/graylog-server-6.0.5-1.x86_64.rpm
cp /etc/graylog/server/server.conf /etc/graylog/server/server.conf_default
#修改graylog-server相关配置文件
sed -i "s/password_secret =/password_secret = 0pAHJtPdZZUb5yHAvFbBezbWAlQwh9CbRX1rshJEVxM0kV7t0SpIgY5q9tLpVEwWLElhG3EtbvQ03mTm9i0HuvWKwlWgWiIJ/g" /etc/graylog/server/server.conf
sed -i "s/root_password_sha2 =/root_password_sha2 = 429d280c5ddad83d94770b077b22124231efc727d504b107883297304b3e2939/g" /etc/graylog/server/server.conf
sed -i "s@#root_timezone = UTC@root_timezone = Asia/Shanghai@g" /etc/graylog/server/server.conf
sed -i "s@#http_bind_address = 127.0.0.1:9000@http_bind_address = 0.0.0.0:9000@g" /etc/graylog/server/server.conf
sed -i "s/allow_highlighting = false/allow_highlighting = true/g" /etc/graylog/server/server.conf
echo "elasticsearch_hosts = http://admin:[email protected]:9200" >> /etc/graylog/server/server.conf
#修改graylog-server启动时JVM内存大小
sed -i "s/-Xms1g -Xmx1g/-Xms2g -Xmx2g/g" /etc/sysconfig/graylog-server

firewall-cmd --add-port=9000/tcp --permanent --zone=public 
firewall-cmd --reload
#启动graylog-server服务
systemctl daemon-reload
systemctl restart graylog-server
systemctl enable graylog-server