docker-compose安装graylog

Posted fun0110

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了docker-compose安装graylog相关的知识,希望对你有一定的参考价值。

环境

  • graylog: 4.2
  • elasticsearch: 7.16.3
  • MongoDB: 4.2
  • docker: 20.10.12
  • docker-compose: v2.3.2
  • 操作系统: Ubuntu20.04、rokcy-linux8.4

graylog配置文件

1. graylog.yml

version: 3
services:
    # MongoDB: https://hub.docker.com/_/mongo/
    mongo:
      image: mongo:4.2
      container_name: mongodb
      volumes:
        - /srv/graylog_data/mongodb:/data/db
      networks:
        - graylog
    # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
    elasticsearch:
      image: docker.elastic.co/elasticsearch/elasticsearch:7.16.3
      container_name: elasticsearch
      volumes:
         - /srv/graylog_data/es:/usr/share/elasticsearch/data
      environment:
        - http.host=0.0.0.0
        - transport.host=0.0.0.0
        - network.host=0.0.0.0
        - discovery.type=single-node
        - "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx512m"
      ulimits:
        memlock:
          soft: -1
          hard: -1
      deploy:
        resources:
          limits:
            memory: 1g
      networks:
        - graylog
    # Graylog: https://hub.docker.com/r/graylog/graylog/
    graylog:
      image: graylog/graylog:4.2
      container_name: graylog
      volumes:
        - /srv/graylog_data/graylog:/usr/share/graylog/data
        - /srv/graylog_data/graylog/config:/usr/share/graylog/data/config
        - /srv/graylog_data/graylog/journal:/usr/share/graylog/data/journal
      environment:
        # CHANGE ME (must be at least 16 characters)!
        - GRAYLOG_PASSWORD_SECRET=somepasswordpepper
        # Password: admin
        - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
        - GRAYLOG_HTTP_EXTERNAL_URI=http://127.0.0.1:9000/
      entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
      networks:
        - graylog
      restart: always
      depends_on:
        - mongo
        - elasticsearch
      ports:
        # Graylog web interface and REST API
        - 9000:9000
        # Syslog TCP
        - 1514:1514
        # Syslog UDP
        - 1514:1514/udp
        # GELF TCP
        - 12201:12201
        # GELF UDP
        - 12201:12201/udp
networks:
    graylog:
      driver: bridge

2. log4j.xml

<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
    <Appenders>
        <Console name="STDOUT" target="SYSTEM_OUT">
            <PatternLayout pattern="%d %-5p: %c - %m%n"/>
        </Console>

        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
        <Memory name="graylog-internal-logs" bufferSize="500"/>
    </Appenders>
    <Loggers>
        <!-- Application Loggers -->
        <Logger name="org.graylog2" level="info"/>
        <Logger name="com.github.joschi.jadconfig" level="warn"/>
        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
        <Logger name="org.elasticsearch.script" level="warn"/>
        <!-- Disable messages from the version check -->
        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
        <!-- Silence chatty natty -->
        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
        <!-- Silence Kafka log chatter -->
        <Logger name="org.graylog.shaded.kafka09.log.Log" level="warn"/>
        <Logger name="org.graylog.shaded.kafka09.log.OffsetIndex" level="warn"/>
        <Logger name="org.apache.kafka.clients.consumer.ConsumerConfig" level="warn"/>
        <!-- Silence useless session validation messages -->
        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
        <Root level="warn">
            <AppenderRef ref="STDOUT"/>
            <AppenderRef ref="graylog-internal-logs"/>
        </Root>
    </Loggers>
</Configuration>

3. graylog.conf

<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
    <Appenders>
        <Console name="STDOUT" target="SYSTEM_OUT">
            <PatternLayout pattern="%d %-5p: %c - %m%n"/>
        </Console>

        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
        <Memory name="graylog-internal-logs" bufferSize="500"/>
    </Appenders>
    <Loggers>
        <!-- Application Loggers -->
        <Logger name="org.graylog2" level="info"/>
        <Logger name="com.github.joschi.jadconfig" level="warn"/>
        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
        <Logger name="org.elasticsearch.script" level="warn"/>
        <!-- Disable messages from the version check -->
        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
        <!-- Silence chatty natty -->
        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
        <!-- Silence Kafka log chatter -->
        <Logger name="org.graylog.shaded.kafka09.log.Log" level="warn"/>
        <Logger name="org.graylog.shaded.kafka09.log.OffsetIndex" level="warn"/>
        <Logger name="org.apache.kafka.clients.consumer.ConsumerConfig" level="warn"/>
        <!-- Silence useless session validation messages -->
        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
        <Root level="warn">
            <AppenderRef ref="STDOUT"/>
            <AppenderRef ref="graylog-internal-logs"/>
        </Root>
    </Loggers>
</Configuration>

graylog安装

1.将上面配置文件目录创建好

mkdir -p /srv/graylog_data/mongodb /srv/graylog_data/es /srv/graylog_data/graylog /srv/graylog_data/graylog/config /srv/graylog_data/graylog/journal /srv/graylog_data/graylog/contentpacks /srv/graylog_data/graylog/log /srv/graylog_data/graylog/plugin

2. 配置文件移动到指定目录

# 移动graylog.yml到指定目录
mv graylog.yml /srv/docker_compose/graylog
# 移动graylog.conf
mv graylog.conf /srv/graylog_data/graylog/config
# 移动log4j2.xml
mv log4j2.xml /srv/graylog_data/graylog/config

3. 授权文件及目录

chmod 777 /srv/graylog_data/mongodb 
chmod 777 /srv/graylog_data/es 
chmod 777 /srv/graylog_data/graylog 
chmod 777 /srv/graylog_data/graylog/config 
chmod 777 /srv/graylog_data/graylog/journal
chmod 777 /srv/graylog_data/graylog/config/graylog.conf 
chmod 777 /srv/graylog_data/graylog/config/log4j2.xml
chmod +x /srv/docker_compose/graylog.yml

4. 部署

docker-compose -f graylog.yml up -d

5. 关闭防火墙

# ubuntu
ufw disable
# centos
systemctl disable firewalld

6. 验证是否都启动成功

docker ps

7. 登录graylog

8.配置http模式

9.发送日志测试

curl -X POST http://172.19.0.4:12201/gelf -p0 -d "short_message":"你好呀graylog","host":"172.19.0.4","facility":"test", "_foo":"bar"

上面ip为容器ip,docker inspect graylog
graylog发送方式

问题与解决

1. 问题1

max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

2. 解决

# 查看配置
grep vm.max_map_count /etc/sysctl.conf
# 添加配置
echo vm.max_map_count=262144 >> /etc/sysctl.conf
# 查看
grep vm.max_map_count /etc/sysctl.conf
#  立即生效
sysctl -w vm.max_map_count=262144

3.问题2

graylog-elasticsearch-1  | [2]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured

4. 解决

# docker-compose对应的配置文件中的elasticsearch添加
- discovery.type=single-node

参考及注意事项

Ubuntu的目录一定要创建好并授权,否则各种奇怪错误
graylog官网

以上是关于docker-compose安装graylog的主要内容,如果未能解决你的问题,请参考以下文章

docker-compose Install graylog

Graylog2实现Docker容器日志收集

Centos7 安装Graylog 5.0收集网络设备运行日志

Docker安装Graylog

Graylog 环境搭建及使用

graylog安装