Graylog2 是一个日志收集服务器,可以当做 syslog 服务器使,支持 TCP、UDP 协议。另外也支持以 TCP/UDP 方式接收 GELF 格式的日志,这个格式很简单,就是一个 JSON 字符串。Graylog2 把 GELF 格式的日志存入 ElasticSearch 中,另外往 MongoDB 里写入一些统计信息,伊提供了一个 Ruby 写的 Web 应用,可以搜索日志并可视化的显示搜索结果的时间分布。
说道搭建,graylog的服务端才是最复杂的,在此不加详述(其实我也不太会),这里就总结一下客户端的安装和配置。
下面就来看看graylog如何安装。
在这里,笔者用的ansible工具一键安装,具体的ansible用法可以参考官方文档
http://docs.ansible.com/ansible/
一、客户端安装:
这里只给出部分ansible脚本:
1、tasks 目录下的install.yml:
- name: Yum Install Initializtion Require Software
yum: name=libdbi.x86_64 state=installed
when: ansible_os_family == "RedHat"
- name: Download collector-sidecar_0.0.8-1_amd64.rpm
get_url: url=https://github.com/Graylog2/collector-sidecar/releases/download/0.0.8/collector-sidecar-0.0.8-1.x86_64.rpm dest=/tmp/
when: ansible_os_family == "RedHat"
- name: Install collector-sidecar_0.0.8-1_amd64.rpm
yum: name=/tmp/collector-sidecar-0.0.8-1.x86_64.rpm state=present
when: ansible_os_family == "RedHat"
- name: Download nxlog-ce_2.9.1716_ubuntu_1404_amd64.rpm
get_url: url=https://nxlog.co/system/files/products/files/1/nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm dest=/tmp/
when: ansible_os_family == "RedHat"
- name: Install nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm
yum: name=/tmp/nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm state=present
when: ansible_os_family == "RedHat"
- name: Install Graylog-collector-sidecat-service
shell: graylog-collector-sidecar -service install
when: ansible_os_family == "RedHat"
ignore_errors: yes
- name: Change the Limits Of Authority
file: path=/var/log/graylog owner=nxlog group=nxlog mode=0755 recurse=yes
when: ansible_os_family == "RedHat"
- name: Start The Collector-sidecat
service: name=collector-sidecar state=restarted
when: ansible_os_family == "RedHat"
- name: Download nxlog-ce_2.9.1716_ubuntu_1404_amd64.deb
get_url: url=https://nxlog.co/system/files/products/files/1/nxlog-ce_2.9.1716_ubuntu_1404_amd64.deb dest=/tmp/
when: ansible_os_family == "Debian"
- name: Install nxlog-ce_2.9.1716_ubuntu_1404_amd64.deb
apt: deb=/tmp/nxlog-ce_2.9.1716_ubuntu_1404_amd64.deb
when: ansible_os_family == "Debian"
- name: Download collector-sidecar_0.0.8-1_amd64.deb
get_url: url=https://github.com/Graylog2/collector-sidecar/releases/download/0.0.8/collector-sidecar_0.0.8-1_amd64.deb dest=/tmp/
when: ansible_os_family == "Debian"
- name: Install collector-sidecar_0.0.8-1_amd64.deb
apt: deb=/tmp/collector-sidecar_0.0.8-1_amd64.deb
when: ansible_os_family == "Debian"
- name: Copy Collector_sidercat Configure file Client
template: src=collector_sidecar.yml dest=/etc/graylog/collector-sidecar/collector_sidecar.yml owner=root group=root mode=0644
when: ansible_os_family == "Debian"
- name: Install Graylog-collector-sidecat-service
shell: graylog-collector-sidecar -service install
when: ansible_os_family == "Debian"
ignore_errors: yes
- name: Change user and group of /var/spool/collector-sidecar/
file: path=/var/spool/collector-sidecar/ owner=nxlog group=nxlog mode=0755 recurse=yes
when: ansible_os_family == "Debian"
- name: Change user and group of /var/run/graylog
file: path=/var/run/graylog owner=nxlog group=nxlog mode=0755 recurse=yes
when: ansible_os_family == "Debian"
- name: Start The Collector-sidecat
service: name=collector-sidecar state=restarted
when: ansible_os_family == "Debian"
2、graylog客户端的配置文件:
server_url: ` server_url ` //graylog客户端的ip与端口,默认端口为12900
tls_skip_verify: false
node_id: ` node_id ` //通过node_id来识别不同的机器组
collector_id: file:/etc/graylog/collector-sidecar/collector-id
tags: ` tags ` //通过tags来识别不同的机器
log_path: /var/log/graylog/collector-sidecar
update_interval: 10
log_rotation_time: 6000
log_max_age: 12000
backends:
- name: nxlog
enabled: true
binary_path: /usr/bin/nxlog
configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf (edited)
注意:定义的配置文件的路径,有错时需要在配置文件中寻找日志进行排查
二、web端配置:
1、在https://ip/system/collectors/configurations/下创建一个新的配置文件,其中tags要和配置文件中的保持一致,node_id(即name)会自动获取配置文件(/etc/graylog/collector-sidecar/collector_sidecar.yml)中的内容
2、在新创建的配置文件中,create input output 以及 snippet。
注意:
a、output 中的端口与graylog的监听端口不一样,这个端口是用来进行数据传输的,要保证这个端口是开启的。
b、input 中主要是要导入的日志路径,这个日志路径一定要正确,并且具有读权限。
c、snippet 中最关键的是定义的客户端的模块路径(“Moduledir /usr/libexec/nxlog/modules”),需要根据客户端的实际路径来修改。
三、排错方法:
1、使用‘graylog-collector-sidecar -c /etc/graylog/collector-sidecar/collector_sidecar.yml’校验collector-sidecar配置文件是否正确,并查看‘/var/log/collector-sidecar.err'或者'/var/log/messages'来获取错误详情。
2、使用‘nxlog -v -f /etc/graylog/collector-sidecar/generated/nxlog.conf’来查看nxlog配置文件是否正确,对应的日志文件为'/var/log/graylog/collector-sidercar/nxlog.log'。