Graylog日志监控集群搭建
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Graylog日志监控集群搭建相关的知识,希望对你有一定的参考价值。
场景及日志量由于公司是物联网场景,设备每10秒都会上报Gps数据,后端猿对每个每个上传数据的处理都加入了日志,加上后端猿用Quartz写了许多无状态的后台服务,每10s跑一次,而且有多个环境(开发,测试,线上环境)同时有日志写入,日志量大概在均值3000/s, 峰值5000/s。做了rotation后,3天的日志量在300G左右,最初的最小化安装已经无法支撑。
顺便分享下最小化安装的docker-compose.yml 参考
version: ‘2‘
services:
MongoDB: https://hub.docker.com/_/mongo/
mongodb:
image: mongo:3
volumes:
- mongo_data:/data/db
Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/docker.html
elasticsearch:
虽然这个img下载有些慢,但是请一定用这个
image: docker.elastic.co/elasticsearch/elasticsearch:5.6.3
volumes: - es_data:/usr/share/elasticsearch/data
environment: - http.host=0.0.0.0
- transport.host=localhost
- network.host=0.0.0.0
Disable X-Pack security: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/security-settings.html#general-security-settings
- xpack.security.enabled=false
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
ulimits:
memlock:
soft: -1
hard: -1
mem_limit: 1gGraylog: https://hub.docker.com/r/graylog/graylog/
graylog:
image: graylog/graylog:2.4.0-1
volumes: - graylog_journal:/usr/share/graylog/data/journal
environment:CHANGE ME!
- GRAYLOG_PASSWORD_SECRET=somepasswordpepper
Password: admin 生成方法:echo -n yourpassword | shasum -a 256
- GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
- GRAYLOG_WEB_ENDPOINT_URI=http://127.0.0.1:9000/api
links: - mongodb:mongo
- elasticsearch
depends_on: - mongodb
- elasticsearch
ports:Graylog web interface and REST API
- 9000:9000
Syslog TCP
- 514:514
Syslog UDP
- 514:514/udp
GELF TCP
- 12201:12201
GELF UDP
- 12201:12201/udp
Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/
volumes:
mongo_data:
driver: local
es_data:
driver: local
graylog_journal:
driver: local
使用心得
使用前,请务必看下Architectural,了解下设计理念。
? Graylog nodes should have a focus on CPU power. These also serve the user interface to the browser.
? Elasticsearch nodes should have as much RAM as possible and the fastest disks you can get. Everything depends on I/O speed here.
? MongoDB is storing meta information and configuration data and doesn’t need many resources.
简单来说就是,Graylog用于采集日志写入Elasticsearch比较耗CPU,Elasticsearch比较耗RAM跟IO。知道这一点基本也就为后面调优确定了方向。
三节点搭建步骤 参考
准备工作(CentOS7.3)
yum –y update
yum install java-1.8.0-openjdk-headless.x86_64 #安装JDK
MongoDB 3.6 replica set搭建
首先每个node安装MongoDB- 添加MongoDB软件源
/etc/yum.repos.d/mongodb-org-3.6.repo
[mongodb-org-3.6]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/3.6/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-3.6.asc - 更新源并安装
yum update -y && yum install -y mongodb-org - 关键配置项
MongoDB数据放在非系统目录
添加目录权限 chown -R mongod:mongod /data/mongo
storage:
dbPath: /data/mongo
- 添加MongoDB软件源
配置MongoDB repliSetName
replication:
replSetName: repl
配置bindIp,使用局域网Ip,保证该ip对于其他node可见
net:
port: 27017
bindIp: 192.168.168.242
- 启动MongoDB服务
systemctl start mongod - 初始化MongoDB replica set
#start mongo shell and run
rs.initiate( {
_id : "rs0",
members: [
{ _id: 0, host: "mongodb0.example.net:27017" },
{ _id: 1, host: "mongodb1.example.net:27017" },
{ _id: 2, host: "mongodb2.example.net:27017" }
]
}) - 查看replica set配置
rs.conf() - 查看MongoDB replica set的Primary节点
rs.status()
Elasticsearch 5.6 集群搭建 - 导入Elasticsearch public GPG key
#/etc/yum.repos.d/elasticsearch.repo
[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md - Elasticsearch安装
yum install elasticsearch - Elasticsearch集群配置
#/etc/elasticsearch/elasticsearch.yml集群各个instance的访问ip
discovery.zen.ping.unicast.hosts: ["192.168.168.240", "192.168.168.241", "192.168.168.242"]
该节点的访问ip
network.host: 192.168.168.242
集群名称
cluster.name: ES_PROD
节点名称
node.name: ${HOSTNAME}
数据目录
mkdir -p /data/elasticsearch/data
chown -R elasticsearch:elasticsearch /data/elasticsearch
path.data: /data/elasticsearch/data
日志目录
mkdir -p /data/elasticsearch/logs
chown -R elasticsearch:elasticsearch /data/elasticsearch
path.logs: /data/elasticsearch/logs
- 编辑Elasticsearch系统服务
#删除如下行
-Edefault.path.logs=${LOG_DIR} \
-Edefault.path.data=${DATA_DIR} \ - 启动服务
systemctl start elasticsearch - 健康检查
curl -XGET ‘http://192.168.168.240:9200/_cluster/state?pretty‘
Graylog 2.4 多节点搭建
Graylog多节点搭建只需要保留一个instance用于web访问即可,日志可以配置写入不同node,当某个node压力过大,需要自行考虑手动将部分日志转到其他空闲node。(这一层的负载均衡待研究) - Graylog 2.4 软件源安装
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-2.4-repository_latest.rpm - graylog-server安装
yum install graylog-server - graylog多节点配置
多节点安转时保留一个节点为true,其他节点为false
is_master = true
时区配置为上海时区
root_timezone = PRC
Password: admin 生成方法:echo -n yourpassword | shasum -a 256
password_secret = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
多节点模式时,要保证该ip可被其他节点访问
rest_listen_uri = http://192.168.168.242:9000/api/
默认同上
rest_transport_uri = http://192.168.168.242:9000/api/
配置外网访问的Base URL,使用nginx反代理的话可以配置为http://192.168.168.242:9000/
web_listen_uri = http://121.196.213.107:50089/
Elasticsearch集群host列表(逗号分隔)
elasticsearch_hosts = http://192.168.168.240:9200,http://192.168.168.241:9200,http://192.168.168.242:9200
配置只保留72小时的日志
elasticsearch_max_time_per_index = 1h
elasticsearch_max_number_of_indices = 72
MongoDB连接字符串
mongodb_uri = mongodb://192.168.168.242:27017,192.168.168.241:27017,192.168.168.240:27017/graylog?replicaSet=repl
- 调整Graylog JVM HeapSize
#/etc/sysconfig/graylog-server
GRAYLOG_SERVER_JAVA_OPTS="-Xms4g -Xmx4g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow" - 启动服务
systemctl start graylog-server
Nginx反向代理配置 - Nginx安装
yum install nginx -
Nginx配置
server
{
listen 50098 default_server;
listen [::]:50098 default_server ipv6only=on;
server_name 47.97.188.62:50098;location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL http://$server_name/api;
proxy_pass http://192.168.168.242:9000;
}
}
后期优化可以考虑的点 - 调大cpu,可增加消息处理速度
- 多开几个udp端口,可增加消息处理速度
- 调大Elasticsearch内存占用,增加缓冲,降低IO
- 更换更高效的磁盘
以上是关于Graylog日志监控集群搭建的主要内容,如果未能解决你的问题,请参考以下文章