Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to deploy Graylog log server under Ubuntu 16.04. what is introduced in this article is very detailed and has certain reference value. Interested friends must read it!

Graylog is an open source log management system that centrally collects, indexes and analyzes logs sent by other servers. It is written by Java language, can receive log information sent by TCP, UDP, AMQP protocols, and uses Mongodb as the background database. It also has a Web management interface written in Ruby that makes it easy to manage Graylog and query logs.

Graylog can collect and monitor logs for a variety of different applications. For demonstration purposes, this article will install all the components used on a separate server. For large, production systems, you can install components separately on different servers, which can improve efficiency.

Components of Graylog 2

Graylog 2 has four basic components:

Graylog Server: this service is responsible for receiving and processing logs / messages and communicating with other components.

Elasticsearch: stores all logs, and its performance depends on memory and hard disk IO.

MongoDB: stores data.

Web interface: user interface.

The following is the diagram of the components of Graylog 2

Install and configure Graylog 2

Environmental dependence

Graylog 2 requires the following environmental dependencies:

One Ubuntu 16.04 server with at least 2 GB RAM.

Elasticsearch (> = 2.x, * * stable version is recommended.)

MongoDB (> = 2.4It is recommended to use * * stable version.)

Oracle Java SE or OpenJDK (> = 8, * * stable version is recommended.)

If your Ubuntu Server installation is minimized, you also need to install the following packages in advance:

$sudo apt-get install apt-transport-https uuid-runtime pwgen

Install Java JDK

Elasticsearch is a Java-based application, we first need to install OpenJDK or Oracle JDK. Here we choose to install OpenJDK 8:

$sudo apt-get update & & sudo apt-get install openjdk-8-jdk

If there are multiple Java versions on your system, you can use the following instructions to set the default version.

$update-alternatives-config java

Install Elasticsearch

Elasticsearch is a major component of Graylog and is responsible for analyzing and indexing logs. Graylog 2.3.x starts to support Elasticsearch 5.x, so let's install Elasticsearch 5.x here.

# add GPG signature key $wget-qO-https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add-# add Eleasticsearch source $echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee-a / etc/apt/sources.list.d/elastic-5.x.list # install Elasticsearch $sudo apt-get update & & sudo apt-get install elasticsearch

Edit the Elasticsearch configuration file:

$sudo vim / etc/elasticsearch/elasticsearch.yml # sets cluster.name to graylog. Cluster.name: graylog

After modifying the configuration, you need to restart Elasticsearch:

$sudo systemctl daemon-reload $sudo systemctl restart elasticsearch.service

If you want to add Elasticsearch services to boot with the system, you can execute the following command:

$sudo systemctl enable elasticsearch.service

Test whether Elastisearch is working properly

By default, Elastisearch uses port 9200 to receive http requests. Here, a simple request test is performed using the curl instruction.

$curl-X GET http://localhost:9200 {"name": "V8jWSvJ", "cluster_name": "graylog", "cluster_uuid": "8cnTgvEzRZ2U81LTYq5nEw", "version": {"number": "5.6.3", "build_hash": "1a2f265", "build_date": "2017-10-06T20:33:39.012Z", "build_snapshot": false "lucene_version": "6.6.1"}, "tagline": "You Know, for Search"}

Check the health status of Elasticsearch

$curl-XGET 'http://localhost:9200/_cluster/health?pretty=true' {"cluster_name": "graylog", "status": "green", "timed_out": false, "number_of_nodes": 1, "number_of_data_nodes": 1, "active_primary_shards": 0, "active_shards": 0, "relocating_shards": 0, "initializing_shards": 0 "unassigned_shards": 0, "delayed_unassigned_shards": 0, "number_of_pending_tasks": 0, "number_of_in_flight_fetch": 0, "task_max_waiting_in_queue_millis": 0, "active_shards_percent_as_number": 100.0}

Install MongoDB

The MongoDB included in the default installation source for Ubuntu 16.04 (the current version is 2.6.10) supports Graylog 2.3.x or later.

$sudo apt-get install mongodb-server

Start the MongoDB service

$sudo systemctl start mongodb

If you want to add MongoDB services to boot with the system, you can execute the following command:

$sudo systemctl enable mongodb

Install Graylog Server

Graylog Server is responsible for receiving and processing logs.

# download and install Graylog Server repository $wget https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.deb $sudo dpkg-I graylog-2.3-repository_latest.deb # install Graylog Server $sudo apt-get update & & sudo apt-get install graylog-server

Edit the Graylog Server configuration file:

To set up password_secret, first use the pwgen command to generate a password:

$pwgen-N 1-s 96 1jfPjMRn5XRsCdVWArjy1nulgXbUJJ8khuW0xQGrqUvJ1iXefhqSh22xsp1dZgkKVsOwiOuDLArh7TYafQE8QFDjEzUIU1tS

Modify the password_secret parameter value:

$sudo vim / etc/graylog/server/server.conf password_secret = 1jfPjMRn5XRsCdVWArjy1nulgXbUJJ8khuW0xQGrqUvJ1iXefhqSh22xsp1dZgkKVsOwiOuDLArh7TYafQE8QFDjEzUIU1tS

Set the Graylog Server administrator password root_password_sha2, which is used to log in to the Web administration page.

If you want to set the password to 000000, you can use the sha256sum command to generate:

$echo-n 000000 | sha256sum 91b4d142823f7d20c5f08df69122de43f35f057a988d9619f6d3138485c9a203

Modify the root_password_sha2 parameter value:

$sudo vim / etc/graylog/server/server.conf root_password_sha2 = 91b4d142823f7d20c5f08df69122de43f35f057a988d9619f6d3138485c9a203

Note: password_secret and root_password_sha2 parameters must be set, otherwise Graylog Server will not start.

If you want to set the administrator mailbox and time zone, you can use the following parameter values:

$sudo vim / etc/graylog/server/server.conf root_email = "admin@hi-linux.com" root_timezone = UTC

Set up the Elasticsearch node:

$sudo vim / etc/graylog/server/server.conf # Default: http://127.0.0.1:9200 elasticsearch_hosts = http://192.168.100.212:9200

If you need to configure multiple Elasticsearch nodes or nodes that require authentication, you can configure them in the following format:

Elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200

Note: if not configured, the default is to connect to the local Elasticsearch node.

Other settings related to Elasticsearch:

Elasticsearch_index_prefix = graylog elasticsearch_connect_timeout = 10s elasticsearch_max_docs_per_index = 20000000 elasticsearch_max_total_connections = 20 elasticsearch_max_number_of_indices = 20 elasticsearch_shards = 1 elasticsearch_replicas = 0

Install the Graylog Web interface

Since the Graylog 2.x release, Graylog has integrated the Web interface by default.

Configure Graylog Web Interfac

$sudo vim / etc/graylog/server/server.conf # configure rest Api URI rest_listen_uri = http://your_ip_or_domain:9001/ # configure Web interface URI web_listen_uri = http://your_ip_or_domain:9000/

Note: your_ip_or_domain is your actual server IP or domain name.

Start the Graylog Server service:

$sudo systemctl daemon-reload $sudo systemctl start graylog-server.service

If you want to add Graylog Server services to boot with the system, you can execute the following command:

$sudo systemctl enable graylog-server.service

Visit Graylog Web

Using a browser to access http://your_ip_or_doamin:9000, you can successfully see the following interface, which indicates that the installation is successful. The default user name is: admin and the password is set in the: root_password_sha2 parameter.

Add a server that needs to collect logs

Create Syslog UDP input

The Rsyslog service that comes with the Ubuntu system does not need to be installed, just needs to be configured.

Open the Graylog Web page, select System- > Inputs- > Syslog UDP- > Launch new input, and add a server to receive Syslog logs.

Enter the following information on the pop-up window:

Node: select your Graylog Server server in the list

Title: Linux Server Logs

Port: 8514

Bind address: 0.0.0.0

Click Save

After the configuration is completed, a Syslog server listening on port 8514 is generated, which can be used to collect logs on other servers.

This test uses the same server for demonstration, so it is bound to all network card interfaces. If you are only accessing on a specific network, fill in the IP address of Bind address according to the actual situation.

Now, our Graylog Server server is ready to receive logs from other servers. Next we also need to configure the log servers that need to be collected to send logs to the Graylog Server server.

Configure the server to send logs to Graylog

Create a rsyslog configuration file / etc/rsyslog.d/90-graylog.conf.

If your rsyslog version is > 5.10, please configure it in the following format:

*. * @ graylog_server_ip:8514;RSYSLOG_SyslogProtocol23Format

If your rsyslog version is < 5.10, please configure it in the following format:

$template GRAYLOGRFC5424, "% PROTOCOL-VERSION%% TIMESTAMP:::date-rfc3339%% HOSTNAME%% APP-NAME%% PROCID%% MSGID%% STRUCTURED-DATA%% msg%\ n". * @ graylog_server_ip:8514;GRAYLOGRFC5424

Note: replace graylog_server_ip with the Graylog server IP address.

I am using rsyslog 8.16 here, and the modified version is similar to the following:

$sudo vim / etc/rsyslog.d/90-graylog.conf *. * @ 192.168.100.212 RSYSLOGlobe SyslogProtocol23 format

Restart the rsyslog service to take effect

$sudo systemctl restart rsyslog

After the configuration is complete, go back to Graylog Web and click Sources to see if there are any graphics that have newly added Rsyslog sources.

Search Graylog

On Graylog Web, click Search to access the Graylog search page. Here, you can query the specified log according to the condition.

If you want to search ssh's activity log, enter the keyword sshd and click the search icon:

Some commonly used search syntax

Search for information that contains the keyword ssh

Ssh

Search for information that contains the keywords ssh or login

Ssh login

Search for information that contains the full keyword ssh login

"ssh login"

The search field type contains information about ssh

Type:ssh

The search field type contains information about ssh or login

Type: (ssh login)

The search field type contains information about the full keyword ssh login

Type: "ssh login" above is all the contents of the article "how to deploy Graylog Log Server under Ubuntu 16.04". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.