graylog2使用说明(docker)

所需积分/C币:50 2018-07-24 10:07:43 673KB PDF
88
收藏 收藏
举报

## 什么是graylog Graylog 是一个简单易用、功能较全面的日志管理工具,相比 ELK 组合, 优点: - 部署维护简单 - 查询语法简单易懂(对比ES的语法…) - 内置简单的告警 - 可以将搜索结果导出为 json - 提供简单的聚合统计功能 - UI 比较友好 - 当然, 拓展性上比 ELK 差很多。 整套依赖: - Graylog 提供 graylog 对外接口 - Elasticsearch 日志文件的持久化存储和检索 - MongoDB 只是存储一些 Graylog 的配置 ## 安装 > 可以是裸机安装,也可以是docker安装,这里用docker安装 环境要求: - centos7.4 - cpu2个 内存2G 参考: https://hub.docker.com/r/graylog2/graylog/ ### 环境准备 ``` mkdir /root/graylog && cd /root/graylog //挂载目录 mkdir -p mongo_data graylog_journal es_data //配置文件目录 mkdir -p ./graylog/config cd ./graylog/config wget https://raw.githubusercontent.com/Graylog2/graylog-docker/3.0/config/graylog.conf wget https://raw.githubusercontent.com/Graylog2/graylog-docker/3.0/config/log4j2.xml //提前准备镜像 docker pull mongo:3 docker pull graylog/graylog:3.0 docker pull elasticsearch:5.6.9 ``` ### docker-compose.yml ``` version: '2' services: # MongoDB: https://hub.docker.com/_/mongo/ mongo: image: mongo:3 volumes: - ./mongo_data:/data/db - /etc/localtime:/etc/localtime # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/5.5/docker.html elasticsearch: image: elasticsearch:5.6.9 volumes: - ./es_data:/usr/share/elasticsearch/data - /etc/localtime:/etc/localtime environment: - http.host=0.0.0.0 - transport.host=localhost - network.host=0.0.0.0 # Disable X-Pack security: https://www.elastic.co/guide/en/elasticsearch/reference/5.5/security-settings.html#general-security-settings - xpack.security.enabled=false - "ES_JAVA_OPTS=-Xms512m -Xmx512m" ulimits: memlock: soft: -1 hard: -1 mem_limit: 1g # Graylog: https://hub.docker.com/r/graylog/graylog/ graylog: image: graylog/graylog:3.0 volumes: - ./graylog_journal:/usr/share/graylog/data/journal - ./graylog/config:/usr/share/graylog/data/config - /etc/localtime:/etc/localtime environment: # CHANGE ME! - GRAYLOG_PASSWORD_SECRET=somepassword
by yangzhi@ 7/19/2018 Syslog UDP 514:514/udp GELE TCP 12201:12291 t GElF UDP 12201:12201/udp # geLf Http 12292:12202 后动 docker-compose -f docker-compose yml up -d 通过htp:/10.121.602:9000/访问web, admin/ admin 修改配置 ·emai相关(告警需要 transport email enabled =true transportemailhostname=smtp.163.com transport email port =994 transport email use auth = true transport email use tls=true transport email use ssl = true transportemailauthusername=17191093767@163.com transport email auth password= zhim123456 transport email subject_prefix=[graylog] transportemailfromemail=17191093767(@163.com transportemailweBinterfaceurl=http://10.121.60.2:9000 使用 配置添加 Inputs Graylag节点能够接受数据的类型称之为put,常见的有 Gelf Tcp Gelf Udp, Gelf Http 说明:GELFTCPGELFUDP可以使用同一个端口,HTTP需要另起端口,原因不解释。 ·添加三ˆ input,过程略,tcp,ud端口使用默认的12201,htt端口使用12202。 验证 // udp echo -nversion":1. 1",host":example. org",short message":A short message info with udp","level":1,some info:foo","tag":test11") -W19-u18.121.69.212291 3/9 by yangzhi@ 7/19/2018 // tcp echo -n -e'i"version":1. host":"example. org short messag a short message with tcp","level": 1,"some info":"foo")"\0"nc-W10 10.121.60.2 12201 http curl -X POST -H Content-Type: application/ison'-d version":1.1",host" example.org",shortmessage:ashortmessagewithhttp",level:5, someinfo:foo"'http://10.121.60.2:12202/gelf docker日志添加到 graylag docker run --log-driver=gelf log-opt gelf-address=udp: //10.. 2: 12201\ log-opt tag=test1 /etc/localtime: /etc/localtime -it nginx /bin/bash docker-compose yaml services mongo logging: driver: gelf options ge1f- address:"udp://10.121.60.2:12201" tag: mongo vo⊥umes /etc/localtime: /etc/localtime java日志喧接发送到 graylag 使用 aback <appender name="gelf class="me. moocar logbackgelf Gel fUDPAppender"> <remoteHost>10. 121. 60.2</remoteHost> <port>12201</port> <encoder class="ch gos logback. core encoder. LayoutWrappingEncoder"> <layout class="me. moocar. logbackgelf. GelfLayout> <!--An example of overwriting the short message pattern--> <shortMessageLayout class="ch gos logback. classic. PatternLayout> <pattern>%ex[short %.100m</pattern> </shortMessageLayout> <!- Use HTML output of the full message. Yes, any layout can be used (please don't actually do this)--> <fullMessageLayout class="ch gos, logback. classic. PatternLayout <pattern>d MM-dd HH: mm: ss Sss [%thread] %-5level\%F: %L\) 4/9 by yangzhi@ 7/19/2018 ‰msg‰n</ pattern </fullMessageLayout> <useLoggerName >true/useLoggerName> <useThreadName>true</use ThreadName> kuseMarker>true</useMarker> <includeFullMDC>true</includeFullMDC> <fieldType>requestId: long</fieldType> <I--Facility is not officially supported in GELF anymore, but you can use staticFields to do the same thing--> <staticField class="me. moocar logbackgelf Field"> <key>tag</key> <value>business-server</value> /staticfield> </layout> /encode </appender> <root> <level value=info"/> <appender-ref ref="gelf / /root> 系统使用 功能菜单说明 · search日志查询面板 grayed Search Stcame Narts Da: boards Sourcer no/Cut o mEg/: Help Seach in the last 5 minutes Not updating Faved searches Irre you search cuery here ard press ro:tud' ND IttE)uttp工e Search result Histogram cd t dashboar→ Found 14 messages n 3 ms, scorched n 1 Index Results retrieved at 2018-07-10 11: 15: 16 O Year, Quarto, Month, weck, Day, Hour, Minute Tc10..143+nn Default 114F > comand b Orcnrarer id Messages 曰 ccnare name 口 Maze Ic 201207-1011:4421900WH :afo]2c16-07-1003.4t.21.930167 Z LonodeCnoics:0.1225.3 Opening itles for db. shar dsj4000C000-EffffEfr :oL(channel ener gnet:e:53. 120208 oDatailNcdalByLasttineDoc <<7307e243ahded tcEeaae0co b U mc:sagc 20107101:4:2184WHK053 1oC18-07-10103:4:21.83E0EZon0 deltone:.12273.3t OPening nlex for db: shar dsi600DL000-7ffffEffsoLcchannel ener gnet. e..53. 128232 idxx dasi r 'sElarticcountNodalD Usr elds of current page or all frelds streams捋日志对象按照fed定义为 stream,默认的 stream为 lall messages 5/9 by yangzhi@ 7/19/2018 graylag Seard treams Alerts In D/Out 0 msg/s Help- Streams Create Stream You can route coming messager into strans by appyngrules aga rst them Messages matching the rules of a stream are routed into it A messag can also be routed into multiole stream Read more about streams in the documentation ter streams Fiter All messages index sct Dcfauht indcxsctDafault Manage Rules Nanage outoJ's Pause Steam More Actions 0 messages/second. The default s: ream contains all message couchdo. peero. org l. ygsoft com indcxsct Dcjaultindcx sct Manag Rules va age oudis Pause seam Mure ALIUIs rauch 0 messages/secord Must match all ct he 1 configured stieamrule Show stream rules orderer index set Default index set Manage Nules Nanage outp rs Pause stream More Artinnsv 0'rlesadgeyseor u MusLndtuhi dl uf he l u'rlgured sredIT Jle. Shu stream rules test 11 index sel deut indexsel Manage Rules Nanage Out? Is Paus O' Tle3dgeyseLot u MusLIldtuti dll cf he l w'ifgureu sedini f Jle. shio streem lule test2 Index set Defaut index setstapped Manage Rul Start stre More a n messaJpscerorn No ort oure riles snow stream nles · alerts告警相关,选择—个 strean对象定义告警枭件和通知方式,当 strean里面的日志满足条件时候 告警并通知 g cyou Iemp Alent Delibuci us SuiTes Syou 10/Out0lw/ Help Auninib v ∧ erts overview Crts Conditi Alert are tnisgeled when -cratons ycu oetne are sauted. GrayiNg il automaticaly mark a erts Es resoivec once the status of your condors change Read n ure abul aier Liny in Lhe vLurnenla uul Unreso yes alerts Retresh show all alers cher</otir a eT iATI srmm here C ni slayIng lnresaved alerts oGood ews Currently there are no jnreschedaerts Graylag 3. C0 apha 1-32bdB05 on 4ct2bcaa3d5c: Orcl Corporation t80_171 on Uhux : aC 327c7_.64 · dashboards图形面板 grays search Screams Alerts DashboArds no/out ums/s Heo Admin srato v Dashboards Use dashbca cs to create speciflc vle ws on your messages. Create a new dashboard here and add any graph or char. vcugede in other arts of Gr aylog with one dics. Tace a lcok at the dashboard tutorial for lots of other useful tips Edt dashbpardMore actions test1 6/9 by yangzhi@ 7/19/2018 · source告警所在主机 graylag Scarch Streams Mert Dashboard: Scurcs Syetem In 0/ Out a msg/s HelD Sources His is a listof all sources that sert ir messages to Graylog Note that the list is cached for a few seconds so you m gh: have to wai: a ait until a new source appears. Use your nouse to interact with the table and graphs on this page, and get a better overview of the sources sending data into Graylog Messages per ITlinute Selected sources Messages per source · system系统配習 Search Streams Alerts Dast boards SourcesSystem/Cverven In o/ out o msgs Help Administrator Overview tcns System jobs Asystem Job is a lorg running task a graylag ser/er node executes for mainterance rea.- nputs outputs o No cutive syslem jut> Gray og cluster Content packs Grok patterns cluster ID: 7D0EC55F 6C5C 4DED 9375 421085412 LookUp Tables Pipelines Outgoing traffIc Las Er erprise Collectors Thy 78 查询案件 官方说明文档 关键字不分大小写 ·单个关键字查询 ·多关键字查询含有 ssh or login ssh login 含有某个字符串查询 7/9 by yangzhi@ 7/19/2018 ssh login 同时含有多个关键字查询 opening index AND db 根据字段值查询 tag: couchdb peero. org. ygsoft com ·含有多个tag的查询,某记录只要其中一个字段满足即可 tag:(orderer. ygsoft com couchdb peero. org. ygsoft. com) or tag: orderer. ygsoft com couchdb peero. org. ygsoft com ·含有完全匹配字段 tag:"ssh login ·含有某个字段的记录 exists tag ·不含有某个字段的记录 NoT ex⊥sts_:tag · AND OR ssh login AND source: example. org ("ssh login AND(source: example. org OR source: another example. org))OR exists always find me ·NOT ssh login" AND NOT source: example. org NOT example. org 注意:AND,OR, and not只能大写 ·通配符?表示单个字符星号表示0个和多个字符 source: *.org source: exam?le, or source: exam?le* 8/9 by yangzhi@ 7/19/2018 注意:默认首字母不能使用通配符,因为这样会使用大量的内存;强行开后修改配置文件 allow leading wildcard searches = true 当某关键字不确认顺序的时候使用心 ssh login source: exmaple. org 结果可以匹配ssh1 ogin and example.org ·以下字符在使用的时候必须用反斜杠转义 &&||:\/+-!(){}[]^ Example resource: \/posts\/45326 查询案件可以保存下来 使用 save search criteria按钮 9/9

...展开详情
试读 9P graylog2使用说明(docker)
立即下载
限时抽奖 低至0.43元/次
身份认证后 购VIP低至7折
一个资源只可评论一次,评论内容不能少于5个字
您会向同学/朋友/同事推荐我们的CSDN下载吗?
谢谢参与!您的真实评价是我们改进的动力~
上传资源赚钱or赚积分
最新推荐
graylog2使用说明(docker) 50积分/C币 立即下载
1/9
graylog2使用说明(docker)第1页
graylog2使用说明(docker)第2页

试读结束, 可继续读1页

50积分/C币 立即下载