2024-04-06

graylog最小化部署

前言

入职新公司，领导听说我以前做过日志系统，就让我研究一下graylog。这一研究，发现我以前做的日志系统的功能，开源的graylog都能实现。

接下来这篇文章会介绍graylog的最小化部署，实现对日志文件的采集、存储与查询。

环境准备

本次部署需要以下环境

docker-compose

部署

本次部署的graylog包含4个组件:graylog，mongodb，elasticsearch和filebeat。mongodb负责存储graylog的业务数据，elasticsearch存储采集过来的日志，graylog负责管理，查询与展示，filebeat负责采集日志。

部署graylog，mongo与elasticsearch

新建docker-compose.yml文件，输入内容如下

version: '3'
services:
  mongodb:
    image: mongo:6.0.14
    networks:
      - graylog

  elasticsearch:
    image: elasticsearch:7.17.19
    environment:
      - "discovery.type=single-node"
    restart: "on-failure"
    ports:
      - 9200:9200
      - 9300:9300
    networks:
        - graylog

  graylog:
    image: graylog/graylog:5.2
    environment:
    - GRAYLOG_NODE_ID_FILE=/usr/share/graylog/data/config/node-id
    - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000
    - GRAYLOG_ELASTICSEARCH_HOSTS=http://elasticsearch:9200
    - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
    # CHANGE ME (must be at least 16 characters)!
    - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
    # Password: admin
    - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
    - GRAYLOG_HTTP_EXTERNAL_URI=http://127.0.0.1:9000/
    entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
    networks:
      - graylog
    restart: always
    depends_on:
      - mongodb
      - elasticsearch
    ports:
      # Graylog web interface and REST API
      - 9000:9000
      # Syslog TCP
      - 1514:1514
      # Beats
      - 5044:5044
      # Syslog UDP
      - 1514:1514/udp
      # GELF TCP
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
networks:
  graylog:
    driver: bridge

docker-compose up -d启动

启动成功后可用在 http://127.0.0.1:9200 访问graylog，登陆用户：admin，密码：admin。

创建input

input用于接受日志采集输入。

点击System->Inputs，下拉input列表，选择Beats点击Launch new input

由于本次部署是测试最小化部署，会取消配置TLS private key file (optional)与TLS key password (optional).

部署filebeat

下载

1 2	curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.13.1-darwin-x86_64.tar.gz tar xzvf filebeat-8.13.1-darwin-x86_64.tar.gz

配置

编辑filebeat.yml

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: true
  # 要采集的文件
  paths:
    - /Users/xiangpan/dev/gopath/src/awesomeProject/nohup.out
output.logstash:
  # 发生到哪里去，这是我们之前在graylog里配置的input
  hosts: ["localhost:5044"]
  preset: balanced

启动

1	./filebeat

结果

最终在search里就能看到采集来的日志。

Hello World

Welcome to Hexo! This is your very first post. Check documentation for more info. If you get any problems when using Hexo, you can find the answer in troubleshooting or you can ask me on GitHub.

Quick Start

Create a new post

1	$ hexo new "My New Post"

More info: Writing

Run server

1	$ hexo server

More info: Server

Generate static files

1	$ hexo generate

More info: Generating

Deploy to remote sites

1	$ hexo deploy

More info: Deployment

前言