graylog使用
作者:互联网
1 安装rsyslog 应用 一般操作系统已经安装过不须要重新安装
yum install rsyslog
2 配置rsyslog 服务端 我们使用zabbix_proxy作为服务端
vi /etc/rsyslog.conf 增加相关配置 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad imudp #开启支持upd的模块 $UDPServerRun 514 #允许接收udp 514的端口传来的日志 ModLoad imtcp #开启支持tcp的模块 $InputTCPServerRun 514 #允许接收tcp 514的端口传来的日志 local5.* /var/log/history.log
vi /etc/bashrc
export HISTTIMEFORMAT="%F %T `whoami` " export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }' #重启rsyslog 服务 systemctl restat rsyslog #查看服务是否正常启动 tail -n 200 -f /var/log/history.log |
3 客户端配置
vi /etc/rsyslog.conf 添加如下内容 local5.* @10.10.0.83:514
vi /etc/bashrc
export HISTTIMEFORMAT="%F %T `whoami` " export PROMPT_COMMAND='{ command=$(history 1 | { read x y; echo $y; }); logger -p local5.notice -t bash -i "user=$USER,ppid=$PPID,from=$SSH_CLIENT,pwd=$PWD,command:$command"; }' #重启rsyslog 服务 systemctl restat rsyslog |
4 在要装rsyslog的服务器上安装部署 graylog-sidecar filebeat 客户端
wget https://live400-storage.oss-cn-hangzhou.aliyuncs.com/source/filebeat/filebeat-6.6.1-x86_64.rpm
wget https://live400-storage.oss-cn-hangzhou.aliyuncs.com/source/graylog/graylog-sidecar-1.0.0-1.x86_64.rpm
# 若存在旧版 graylog collector
# rpm -e collector-sidecar-0.1.5-1.x86_64
yum localinstall filebeat-6.6.1-x86_64.rpm
yum localinstall graylog-sidecar-1.0.0-1.x86_64.rpm
配置 graylog-sidecar 客户端
# Configure sidecar.yml
# server_api_token 由 Graylog 的 graylog-sidecar 用户生成,http://cn.graylog.live400.com/system/authentication/users/tokens/graylog-sidecar,保证一个客户一个 token,生成方式如下图:
将复制的token值替换掉${server_api_token}
sed -i 's/#server_url: "http:\/\/127.0.0.1:9000\/api\/"/server_url: "http:\/\/cn.graylog.live400.com\/api\/"/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/server_api_token: ""/server_api_token: "${server_api_token}"/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/#node_id/node_id/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/#update_interval: 10/update_interval: 60/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/#send_status/send_status/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/#cache_path: "\/var\/cache\/graylog-sidecar"/cache_path: "\/data\/graylog-sidecar"/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/#log_path: "\/var\/log\/graylog-sidecar"/log_path: "\/data\/logs\/graylog-sidecar"/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/#log_rotate_max_file_size/log_rotate_max_file_size/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/#log_rotate_keep_files/log_rotate_keep_files/' /etc/graylog/sidecar/sidecar.yml
sed -i 's/#collector_configuration_directory: "\/var\/lib\/graylog-sidecar\/generated"/collector_configuration_directory: "\/etc\/graylog\/sidecar\/generated"/' /etc/graylog/sidecar/sidecar.yml
# list_log_files 参考,配置需要收集日志的文件目录
# list_log_files:
# - "/var/log"
# - "/data/logs/nginx"
# - "/data/logs/mysql"
# - "/data/logs/tomcat"
#安装进程服务
graylog-sidecar -service install
#启动graylog 日志收集服务
service graylog-sidecar start
a.此时会自动在graylog平台出现刚安装了客户端的设备
b.克隆模板
修改配置文件里的项目名:
c.生成filebeat
e. 创建新的 Index Set:http://cn.graylog.live400.com/system/index_sets/create
命名规范:
Title:项目 Nginx 日志
Description:项目 Nginx 日志
Index prefix:项目_nginx
保存
f.创建新的 Streams:http://cn.graylog.live400.com/streams
命名规范
Title:项目 Nginx 日志
Description:项目 Nginx 日志
Index Set:项目 Nginx 日志
勾选 Remove matches from ‘All messages’ stream
点击 Manage Rules,具体配置参考已有的 Nginx 日志,保存后点击 Start Stream,看到有日志写入表示日志对接成功
如果要收集系统操作日志,一个项目的所有操作日志都会存在项目的monitor主机上,要从第一步开始,若只是配置nginx日志则从第三步开始做就可以了。配置完成后在grafana上配置图形,步骤如下:
1.添加数据源
2.复制显示模板
3更改每个图形的数据源
每个图形的都要改,改完后要一定要保存!
标签:log,etc,graylog,使用,日志,yml,sidecar 来源: https://www.cnblogs.com/panshihao/p/10986566.html