基本上有3種方式,
1 yum安裝
2 rpm安裝
3 docker安裝html
yum安裝,參照官方文檔是最好的:
http://docs.graylog.org/en/3.0/pages/installation/os/centos.html
#沒有安裝jdk,則先安裝jdk:
$ sudo yum install java-1.8.0-openjdk-headless.x86_64
#安裝MongoDB
#修改yum源 /etc/yum.repos.d/mongodb-org.repo
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc
sudo yum install mongodb-org
$ sudo chkconfig --add mongod
$ sudo systemctl daemon-reload
$ sudo systemctl enable mongod.service
$ sudo systemctl start mongod.service
#安裝ES
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
#修改yum源 /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
#安裝
sudo yum install elasticsearch-oss
#配置 /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
action.auto_create_index: false
#啓動
$ sudo chkconfig --add elasticsearch
$ sudo systemctl daemon-reload
$ sudo systemctl enable elasticsearch.service
$ sudo systemctl restart elasticsearch.service
#安裝Graylog 服務器
$ sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.0-repository_latest.rpm
$ sudo yum install graylog-server
#配置,安裝好以後須要修改配置,/etc/graylog/server/server.conf 添加: password_secret、root_password_sha2
# root_password_sha2 經過下面的命令生成, 其中輸入的密碼就是admin的密碼,也就是登陸時候的密碼
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
# Generate one by using for example: pwgen -N 1 -s 96
# password_secret 是能夠隨便寫的,可是要求長度64位,能夠經過pwgen 來生成。可是安裝pwgen,pwgen須要安裝。比較麻煩。
# 參照網上博客,執行 wget http://sourceforge.net/projects/pwgen,能夠下載,發現沒法解壓,執行tar zxvf pwgen,報錯說不是正確格式。
# 因而繼續嘗試經過 yum。 直接 yum install pwgen是不行的。須要先執行 yum install epel-release 而後 yum install pwgen。 不知道爲何 須要 epel-release
有些值是可使用默認值的,有些不行。特別是須要設置 ip。 也就是 http_bind_address, 是毫不能使用默認值的, 我開始使用默認值,死活不能經過宿主機訪問,改成實際ip就行了。 另外 http_publish_uri 默認是 http_bind_address, 是不須要設置的。可是若是設置則須要設置正確。 elasticsearch_hosts 可使用默認值:elasticsearch_hosts = http://127.0.0.1:9200; mongodb_uri 也是。Email transport 什麼的能夠先無論。 後面有須要再改。
#啓動。
$ sudo chkconfig --add graylog-server
$ sudo systemctl daemon-reload
$ sudo systemctl enable graylog-server.service
$ sudo systemctl start graylog-server.service
啓動好了後, 能夠grep一下mongo,elasticsearch,graylog。 特別須要注意的是, 配置graylog的時候, publish_url 須要一個實際的ip,而不能是 127.0.0.1 。
java
Docker安裝的話,其實更簡單。
yum install docker
systemctl start docker
cat /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com"]
}
準備一個文件 docker-compose.yml ,放/opt 目錄下
version: '2'
services:
# MongoDB: https://hub.docker.com/_/mongo/
mongodb:
image: mongo:3
# Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/6.6/docker.html
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.6.1
environment:
- http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 1g
# Graylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:3.0
environment:
# CHANGE ME (must be at least 16 characters)!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
# Password: admin
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_HTTP_EXTERNAL_URI=http://127.0.0.1:9000/ ## 須要修改
links:
- mongodb:mongo
- elasticsearch
depends_on:
- mongodb
- elasticsearch
ports:
# Graylog web interface and REST API
- 9000:9000
# Syslog TCP
- 1514:1514
# Syslog UDP
- 1514:1514/udp
# GELF TCP
- 12201:12201
# GELF UDP
- 12201:12201/udp
而後 docker-compose up 就行了!
特別須要注意的是,上面的 GRAYLOG_HTTP_EXTERNAL_URI 須要一個實際的ip, 不然其餘機器是沒法訪問的!會出現上面狀況呢? 就是其餘機器能夠Telnet graylog, 可是web訪問顯示一片空白。
經過curl 獲得下面的結果:
# curl http://192.168.11.183:9000
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="robots" content="noindex, nofollow">
<meta charset="UTF-8">
<title>Graylog Web Interface</title>
<link rel="shortcut icon" href="http://127.0.0.1:9000/assets/favicon.png">
</head>
<body>
<script src="http://127.0.0.1:9000/config.js"></script>
<script src="http://127.0.0.1:9000/assets/vendor.4024e2a8db732781a971.js"></script>
<script src="http://127.0.0.1:9000/assets/polyfill.a5e2fb591e8fd54ee4ef.js"></script>
<script src="http://127.0.0.1:9000/assets/builtins.a5e2fb591e8fd54ee4ef.js"></script>
<script src="http://127.0.0.1:9000/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/plugin.org.graylog.plugins.threatintel.ThreatIntelPlugin.b864ba54b438ac0bdc48.js"></script>
<script src="http://127.0.0.1:9000/assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.bcc87290018e859a8a9e.js"></script>
<script src="http://127.0.0.1:9000/assets/plugin/org.graylog.aws.AWSPlugin/plugin.org.graylog.aws.AWSPlugin.8ae7cb13983ce33eeb5b.js"></script>
<script src="http://127.0.0.1:9000/assets/app.a5e2fb591e8fd54ee4ef.js"></script>
</body>
</html>
開始沒有發現問題,後面才知道 上面的html所有都是經過 js動態加載的, 其中的 script src="http://127.0.0.1:9000/ 其實就是一個問題的根由。 很明顯上面的src 是 本地的,是其餘機器沒法正常訪問的!
改了以後,再觀察,就正常了!(注意下面的src )
# curl http://192.168.11.183:9000
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="robots" content="noindex, nofollow">
<meta charset="UTF-8">
<title>Graylog Web Interface</title>
<link rel="shortcut icon" href="http://192.168.11.127:9000/assets/favicon.png">
</head>
<body>
<script src="http://192.168.11.127:9000/config.js"></script>
<script src="http://192.168.11.127:9000/assets/vendor.4024e2a8db732781a971.js"></script>
<script src="http://192.168.11.127:9000/assets/polyfill.a5e2fb591e8fd54ee4ef.js"></script>
<script src="http://192.168.11.127:9000/assets/builtins.a5e2fb591e8fd54ee4ef.js"></script>
<script src="http://192.168.11.127:9000/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/plugin.org.graylog.plugins.threatintel.ThreatIntelPlugin.b864ba54b438ac0bdc48.js"></script>
<script src="http://192.168.11.127:9000/assets/plugin/org.graylog.plugins.collector.CollectorPlugin/plugin.org.graylog.plugins.collector.CollectorPlugin.bcc87290018e859a8a9e.js"></script>
<script src="http://192.168.11.127:9000/assets/plugin/org.graylog.aws.AWSPlugin/plugin.org.graylog.aws.AWSPlugin.8ae7cb13983ce33eeb5b.js"></script>
<script src="http://192.168.11.127:9000/assets/app.a5e2fb591e8fd54ee4ef.js"></script>
</body>
</html>
實際上,9000 能夠訪問,可是web顯示一片空白, 其實能夠經過F12 觀察到的。 F12 看到不少的500 404, 那就是在 強烈指明是 服務端的問題了!!
graylog 的9000 web界面能夠訪問了,可是如今還看不到日誌。而後java 也須要配置一下,這個很容易,logback增長一個GELF就行了。不過仍是不行的,graylog 還須要手動配置input。 這一點上,和ELK是很大不一樣的! 剛開始接觸的時候就一直卡在了這裏,真是坑。es6
配置GELF的時候,注意旋轉 GELF TCP或者GELF UDP,我開始的時候想固然的認爲java web,而後http,而後選擇了HTTP,結果不行,後面才明白是端口問題。graylog是默認開啓了 12201 的tcp和udp端口 。web
graylog的使用實際上是很簡單的,通過前面的簡單配置,graylog已經能夠正式使用了。不一樣於ELK, ELK配置logstash的grok 要折騰死不少腦細胞。
界面方便跟elk差很少,可是明顯,易用多了!mongodb
若是 點開Search界面看不到任何的日誌,要麼就是沒有配置input,要麼就是時間不對,要麼就是沒有日誌進來。docker
一些注意事項:json
The search syntax is very close to the Lucene syntax. By default all message fields are included in the search if you don’t specify a message field to search in.
es6以後,
Elasticsearch 2.x and 5.x split queries on whitespace, so the query type:(ssh login) was equivalent to type:(ssh OR login). This is no longer the case in Elasticsearch 6.0 and you must now include an OR operator between each term.
—— 我在kibana中測試,好像不是這樣的。。
Elasticsearch 2.x allows to use _missing_:type instead of NOT _exists_:type. This query syntax has been removed in Elasticsearch 5.0.
多個field之間,能夠不用加AND OR,直接空格就好, 默認是OR?
Note that AND, OR, and NOT are case sensitive and must be typed in all upper-case. 必須全大寫
—— 若是想查詢包含and 關鍵字的呢?
Note that leading wildcards are disabled to avoid excessive memory consumption! You can enable them in your Graylog configuration file:
allow_leading_wildcard_searches = true
allow_leading_wildcard_searches 默認是false !
Numeric fields support range queries. Ranges in square brackets are inclusive, curly brackets are exclusive and can even be combined:
數字類型field支持range查詢
Escaping 轉義!
The following characters must be escaped with a backslash:
&& || : \ / + - ! ( ) { } [ ] ^ " ~ * ?
示例:
level_name:ERROR —————— 這裏的ERROR 是不能變形的,也就是說不能小寫,不能大小寫混合! 這點和kibana不一樣,估計是由於graylog中level_name是enum類型?
參考:
https://www.jianshu.com/p/97fcb10c3556
https://www.cnblogs.com/yuhuLin/p/7018858.html
https://blog.csdn.net/dongshaoshuai/article/details/54583668
https://blog.csdn.net/weixin_41004350/article/details/87253316
centos