GrayLog2 安裝 (Minimual Setup)
環(huán)境依賴
Graylog 服務(wù)端需要一下環(huán)境依賴:
- Linux 發(fā)行版(如Debian、Ubuntu、或推薦使用的CentOS)
- Elasticsearch 2.x (2.1.0 or later)
- MongoDB 2.4 or later (latest stable version is recommended)
- Oracle Java SE 8 or later (OpenJDK 8 also works; latest stable update is recommended)
CentOS 下安裝過程
安裝JDK8
cd /home/softs/
wget -c "http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jdk-8u121-linux-x64.tar.gz?AuthParam=1487831297_bd124edadc029398ed5347c882674f19" -O jdk-8u121-linux-x64.tar.gz
tar xf jdk-8u121-linux-x64.tar.gz -C /usr/local/
echo -e "export JAVA_HOME=/usr/local/jdk1.8.0_121\nexport JRE_HOME=/usr/local/jdk1.8.0_121/jre\nexport CLASSPATH=.:\$JAVA_HOME/lib:\$JRE_HOME/lib\nexport PATH=\$PATH:$JAVA_HOME/bin" >> /etc/profile
MongoDB 安裝
- 添加mongodb源
cat>/etc/yum.repos.d/mongodb-org-3.4.repo<<EOF
[mongodb-org-3.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.4.asc
EOF
* `yum makecache`
* `yum install mongodb-org -y`
* 修改配置/etc/mongod.conf `dbPath: /storage/mongo`
* 服務(wù)管理
systemctl enable mongod.service
systemctl start mongod.service
### [Elasticsearch 安裝](https://www.elastic.co/guide/en/elasticsearch/reference/2.4/setup-repositories.html#_yum_dnf)
* 導(dǎo)入GPG Key要尔,并添加Elastic源
```shell
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
cat>/etc/yum.repos.d/elastic-2.x.repo<<EOF
[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1
EOF
yum makecache
yum install elasticsearch -y
- 修改配置/etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
path.data: /storage/elasticsearch/data
path.logs: /storage/elasticsearch/logs
* 啟動時報錯` elasticsearch: Could not find any executable java binary. Please install java in your PATH or set JAVA_HOME`
通過配置服務(wù)啟動時環(huán)境變量解決婉宰,修改 /etc/sysconfig/elasticsearch,添加JAVA_HOME變量: `JAVA_HOME=/usr/local/jdk1.8.0_121`
* 添加到服務(wù)管理
chkconfig --add elasticsearch
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch.service
### Graylog
* 添加官方源
`rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.rpm`
* 安裝
`yum makecache`
`yum install graylog-server`
* 安裝pwgen拌夏、perl-Digest-SHA僧著,用來生成密碼
`yum install pwgen perl-Digest-SHA -y`
* 配置文件 `/etc/graylog/server/server.conf`
is_master = true
node_id_file = /etc/graylog/server/node-id
命令生成 password_secret:pwgen -N 1 -s 96
password_secret = blwVhWyYQhf5zl3UBcLnxfXhoXVSxkSB7hH6ndUJzdQS2HOzlpnstp0slm0F4rekhuKcrVPSBLcuBEXvluL67dQEtNJvbUwv
生成加密密碼 root_password_sha2: echo -n yourpassword | shasum -a 256
root_password_sha2 = 8670fc6414ede6766e9bdb469f9661d4bccd80ac2ed8197f0857b407320c8a8e
root_email = "your@example.com"
root_timezone = Asia/Shanghai
plugin_dir = /usr/share/graylog-server/plugin
配置rest api的URI
rest_listen_uri = http://127.0.0.1:9000/api/
配置web 界面的URI
web_listen_uri = http://127.0.0.1:9000/
配置 elasticsearch 配置文件路徑
elasticsearch_config_file = /etc/elasticsearch/elasticsearch.yml
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32
* 服務(wù)管理
chkconfig --add graylog-server
systemctl daemon-reload
systemctl start graylog-server
systemctl enable graylog-server
* 又見java報錯`graylog-server: /usr/share/graylog-server/bin/graylog-server: line 19: /usr/bin/java: No such file or directory`
修改 `/etc/sysconfig/graylog-server`配置: `JAVA=/usr/local/jdk1.8.0_121/bin/java`,解決
* 找不到elasticsearch.yml配置文件報錯:`Cannot read file elasticsearch_config_file at path /etc/elasticsearch/elasticsearch.yml`
路徑是正確的,應(yīng)該是權(quán)限問題障簿,將graylog用戶加到elasticsearch用戶組中`usermod -aG elasticsearch graylog`,解決
### nginx 反向代理配置
* 配置文件 ssl+http2
server
{
listen 443 ssl http2;
server_name your.example.com;
ssl on;
ssl_certificate path-to-your.pem;
ssl_certificate_key path-to-your.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!DH';
ssl_prefer_server_ciphers on;
location /
{
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Graylog-Server-URL https://your.example.com/api;
proxy_pass http://127.0.0.1:9000;
}
}