Graylog2 是一个日志收集服务器,可以当做 syslog 服务器使,支持 TCP、UDP 协议。另外也支持以 TCP/UDP 方式接收 GELF 格式的日志,这个格式很简单,就是一个 JSON 字符串。Graylog2 把 GELF 格式的日志存入 ElasticSearch 中,另外往 MongoDB 里写入一些统计信息,伊提供了一个 Ruby 写的 Web 应用,可以搜索日志并可视化的显示搜索结果的时间分布。


说道搭建,graylog的服务端才是最复杂的,在此不加详述(其实我也不太会),这里就总结一下客户端的安装和配置。


下面就来看看graylog如何安装。


在这里,笔者用的ansible工具一键安装,具体的ansible用法可以参考官方文档

http://docs.ansible.com/ansible/


一、客户端安装:


这里只给出部分ansible脚本:


1、tasks 目录下的install.yml:


- name: Yum Install Initializtion Require Software

  yum: name=libdbi.x86_64 state=installed

  when: ansible_os_family == "RedHat"


- name: Download collector-sidecar_0.0.8-1_amd64.rpm

  get_url: url=https://github.com/Graylog2/collector-sidecar/releases/download/0.0.8/collector-sidecar-0.0.8-1.x86_64.rpm dest=/tmp/

  when: ansible_os_family == "RedHat"


- name: Install collector-sidecar_0.0.8-1_amd64.rpm

  yum: name=/tmp/collector-sidecar-0.0.8-1.x86_64.rpm state=present

  when: ansible_os_family == "RedHat"


- name: Download nxlog-ce_2.9.1716_ubuntu_1404_amd64.rpm

  get_url: url=https://nxlog.co/system/files/products/files/1/nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm dest=/tmp/

  when: ansible_os_family == "RedHat"


- name: Install nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm

  yum: name=/tmp/nxlog-ce-2.9.1716-1_rhel6.x86_64.rpm state=present

  when: ansible_os_family == "RedHat"


- name: Install Graylog-collector-sidecat-service

  shell: graylog-collector-sidecar -service install

  when: ansible_os_family == "RedHat"

  ignore_errors: yes


- name: Change the Limits Of Authority

  file: path=/var/log/graylog owner=nxlog group=nxlog mode=0755 recurse=yes

  when: ansible_os_family == "RedHat"


- name: Start The Collector-sidecat 

  service: name=collector-sidecar state=restarted

  when: ansible_os_family == "RedHat"



- name: Download nxlog-ce_2.9.1716_ubuntu_1404_amd64.deb

  get_url: url=https://nxlog.co/system/files/products/files/1/nxlog-ce_2.9.1716_ubuntu_1404_amd64.deb dest=/tmp/

  when: ansible_os_family == "Debian"


- name: Install nxlog-ce_2.9.1716_ubuntu_1404_amd64.deb

  apt: deb=/tmp/nxlog-ce_2.9.1716_ubuntu_1404_amd64.deb

  when: ansible_os_family == "Debian"


- name: Download collector-sidecar_0.0.8-1_amd64.deb

  get_url: url=https://github.com/Graylog2/collector-sidecar/releases/download/0.0.8/collector-sidecar_0.0.8-1_amd64.deb dest=/tmp/

  when: ansible_os_family == "Debian"


- name: Install collector-sidecar_0.0.8-1_amd64.deb

  apt: deb=/tmp/collector-sidecar_0.0.8-1_amd64.deb

  when: ansible_os_family == "Debian"


- name: Copy Collector_sidercat Configure file Client

  template: src=collector_sidecar.yml dest=/etc/graylog/collector-sidecar/collector_sidecar.yml owner=root group=root mode=0644

  when: ansible_os_family == "Debian"


- name: Install Graylog-collector-sidecat-service

  shell: graylog-collector-sidecar -service install

  when: ansible_os_family == "Debian"

  ignore_errors: yes


- name: Change user and group of /var/spool/collector-sidecar/ 

  file: path=/var/spool/collector-sidecar/ owner=nxlog group=nxlog mode=0755 recurse=yes

  when: ansible_os_family == "Debian"


- name: Change user and group of /var/run/graylog

  file: path=/var/run/graylog owner=nxlog group=nxlog mode=0755 recurse=yes

  when: ansible_os_family == "Debian"


- name: Start The Collector-sidecat

  service: name=collector-sidecar state=restarted

  when: ansible_os_family == "Debian"


2、graylog客户端的配置文件:


server_url: ` server_url `      //graylog客户端的ip与端口,默认端口为12900

tls_skip_verify: false

node_id: ` node_id `          //通过node_id来识别不同的机器组

collector_id: file:/etc/graylog/collector-sidecar/collector-id

tags: ` tags `                       //通过tags来识别不同的机器 

log_path: /var/log/graylog/collector-sidecar

update_interval: 10

log_rotation_time: 6000

log_max_age: 12000

backends:

  - name: nxlog

    enabled: true

    binary_path: /usr/bin/nxlog

    configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf (edited)


注意:定义的配置文件的路径,有错时需要在配置文件中寻找日志进行排查



二、web端配置:


1、在https://ip/system/collectors/configurations/下创建一个新的配置文件,其中tags要和配置文件中的保持一致,node_id(即name)会自动获取配置文件(/etc/graylog/collector-sidecar/collector_sidecar.yml)中的内容


2、在新创建的配置文件中,create input output 以及 snippet。


注意:

a、output 中的端口与graylog的监听端口不一样,这个端口是用来进行数据传输的,要保证这个端口是开启的。


b、input 中主要是要导入的日志路径,这个日志路径一定要正确,并且具有读权限。


c、snippet 中最关键的是定义的客户端的模块路径(“Moduledir /usr/libexec/nxlog/modules”),需要根据客户端的实际路径来修改。



三、排错方法:


1、使用‘graylog-collector-sidecar -c /etc/graylog/collector-sidecar/collector_sidecar.yml’校验collector-sidecar配置文件是否正确,并查看‘/var/log/collector-sidecar.err'或者'/var/log/messages'来获取错误详情。


2、使用‘nxlog -v -f /etc/graylog/collector-sidecar/generated/nxlog.conf’来查看nxlog配置文件是否正确,对应的日志文件为'/var/log/graylog/collector-sidercar/nxlog.log'。