開源日誌伺服器Graylog檢測網路裝置故障
1、作業系統安裝CentOS installation------省略
cat /etc/os-release ####配置主機的版本
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
關閉selinux
vim /etc/sysconfig/selinux
SELINUX=disable
2、java、資料庫和Elasticsearch安裝
1. java安裝
$ sudo yum install java-1.8.0-openjdk-headless.x86_64
安裝完後檢視java版本
[[email protected] ~]# java -version
openjdk version "1.8.0_161"
OpenJDK Runtime Environment (build 1.8.0_161-b14)
OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)
2. MongoDB安裝
Vi /etc/yum.repos.d/mongodb-org-3.6.repo 進入編輯模式以後,增加以下配置:
[mongodb-org-3.6]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.6/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc
儲存配置,退出以後
yum install -y mongodb-org.
$ sudo chkconfig --add mongod
$ sudo systemctl daemon-reload
$ sudo systemctl enable mongod.service
$ sudo systemctl start mongod.service
3.Elasticsearch
Graylog 2.4.x 必須使用Elasticsearch 5.x,
安裝Elastic GPG key
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/elasticsearch.repo ####增加以下配置
[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
yum install elasticsearch ####安裝elasticsearch
vi /etc/elasticsearch/elasticsearch.yml #####進入elasticsearch 配置檔案,配置cluster.name,該cluster.name的名稱要和graylog一致
cluster.name: graylog2
$ sudo chkconfig --add elasticsearch
$ sudo systemctl daemon-reload
$ sudo systemctl enable elasticsearch.service
$ sudo systemctl restart elasticsearch.service
Graylog
$ sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.rpm
$ sudo yum install graylog-server #####安裝graylog-server
pwgen -N 1 -s 96 ################獲取password_secret
echo -n yourpassword | shasum -a 256 ##############獲取root_password_sha2
vi /etc/graylog/server/server.conf
password_secret=uz8DP8HFBJtNtwySQdNxhjlU4PfqSbSKjnRk4MHXlfFdJKfsHmyekzMkkJ7CNoSnUGpGqD8P0euzy41rHsR39yKUZoSX0OAG
root_password_sha2=e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
elasticsearch_index_prefix = graylog2 ########和 elasticsearch配置的名稱要一致
web_listen_uri = http://0.0.0.0:9000/
rest_listen_uri = http://0.0.0.0:9000/api/
elasticsearch_shards = 1
elasticsearch_replicas = 0
mongodb_useauth = false
$ sudo chkconfig --add graylog-server
$ sudo systemctl daemon-reload
$ sudo systemctl enable graylog-server.service
$ sudo systemctl start graylog-server.service
4、收集網路裝置
Graylog收集網路裝置日誌
Centos7預設運行了rsyslog
vi /etc/rsyslog.conf
$ModLoad imudp ##############將原有的註釋#去掉
$UDPServerRun 514 ##############將原有的註釋#去掉
. @127.0.0.1:1514 轉發給graylog
systemctl restart rsyslog.service ##########重啟rsyslog服務
訪問http:x.x.x.x:9000 使用者名稱admin 密碼yourpassword
配置input埠為1514,Linux下非root使用者無法使用1024以下埠的解決方法,因此儘量使用1024以上的埠。
1) 建立test的dashboard
2) 搜尋關鍵字
3) 儲存到dashboard中
4) 開啟dashhboards