[로그통합]Graylog2 & MongDB & Elasticsearch
Graylog2 v0.10 Finally Released – Install on CentOS 6.3
So the much anticipated Graylog2 version 0.10 was released on the 14th, so I finally found some time to build a test box with all the new software and see how it compares to get up and running.
So let’s get started.
Only non-default repo I have installed is:
We are downloading the following software packages:
Download all the software: (http://www.graylog2.org/download)
A one liner for the lazy:
Just to make sure we got everything:
Extract everything:
Great now let’s get Ruby installed:
Great now let’s get Libyaml installed:
Install RVM (Ruby Version Manager):
Once it’s done you need to source rvm to use it:
Check to make sure ruby is working and it can find the binary:
Install Ruby Gem Bundle:
Update System Gems:
Installing Elastic Search:
Install the ES service wrapper:
Give yourself a control script:
Give the ES cluster a unique name:
Fire it up and test it:
Should get a response similar to:
Add ElasticSearch to boot:
Setup 10gen Repo and Install MongoDB:
Create the mongo db directory:
Mongo configure file create and start:
Wait for it to start, it takes a couple seconds:
Setup MongoDB and auth
Set MongoDB to start on boot:
Intall MongoDB Gem:
Install Graylog2-Server:
Configure Graylog2.conf:
Configure at least these variables in :
-
- Set only one node as the master. This node will perform periodical and maintenance actions that slave nodes won’t. Every slave node will accept messages just as the master nodes. Nodes will fall back to slave mode if there already is a master in the cluster.
-
- This is the path to the ElasticSearch configuration file for the built-in ElasticSearch node of . Your node will act as a node in your ElasticSearch cluster, but not store any data itself. It will distribute the writes to other nodes in the ElasticSearch cluster.
-
- How many log messages to keep per index. This setting multiplied with results in the maximum number of messages in your Graylog2 setup. It is always better to have several more smaller indices than just a few larger ones.
-
- How many indices to have in total. If this number is reached, the oldest index will be deleted.
-
- The number of shards for your indices. A good setting here highly depends on the number of nodes in your ElasticSearch cluster. If you have one node, set it to . Read more about this in the knowledge base article about configuring and tuning ElasticSearch.
-
- The number of replicas for your indices. A good setting here highly depends on the number of nodes in your ElasticSearch cluster. If you have one node, set it to . Read more about this in the knowledge base article about configuring and tuning ElasticSearch.
-
- Graylog2 keeps a so called recent index that includes only the newest log messages. This allows fast overview pages in the web interface. The messages you see in the “show recent messages” view are from this index. If you have thousands of messages per minute, set it to 1 minute because there are so many new messages coming in. If you have just a few messages per minute, set it to a higher values to still have a good overview without having to click on “show all messages”.
-
- Enter your MongoDB connection and authentication information here. Make sure that you connect the web interface to the same database. You don’t need to configure and if is set to .
The most important ones (the rest you can leave as default if you want):
- processor_wait_strategy = blocking (this helps load on the server by quite a bit)
- mongodb_password = whatever password you set earlier
- Take note of the AMQP Section we will come back to this later
Start up Graylog2-Server:
Note: You may see a couple snappy error messages the first time you start graylog2. Just ignore them the first time as it’s having to setup all the indexes.
Wait until you get this message:
Open another SSH session and test it out and make sure it’s working:
You should see a whole bunch of output if it was successful. If not you will receive something like:
Exit WebBrick:
Drop an init.d script to make it easy:
Load it up:
Install Graylog2 Web Interface:
Fix the Gemfile:
Note: The current version of Graylog2-Web-Interface uses json-1.5.5, unfortunately there is a royal pain in the butt issue of installing Ruby 2.0.0 and not having the ruby development headers to compile it. To work around this issue we need to change the required version of json in the gemfile inside the graylog2-web-interface folder.
I also made some changes to the version of the mongo driver it’s using, as it was set to use a much older version (pretty sure the mongo, bson_ext part is optional)
Edit Gemfile inside graylog2-web-interface:
This is what my /usr/local/graylog2-web-interface/Gemfile looks like:
curl -L https://get.rvm.io | bash -s stable --autolibs=enabled --ruby
--rails --trace ### 안되면 이걸로 실행
curl -L https://get.rvm.io | bash -s stable --autolibs=enabled --ruby
--rails --trace ### 안되면 이걸로 실행rvm install 1.9.2
Setup a Graylog2 User:
Give root RVM access:
Setup the web interface’s mongo config:
Start Graylog2 and setup your first user:
# Note: If mongo isn’t running, you used an @ symbol in your password or if you installed mongo from source or some other method, check /etc/mongod.conf and see where it is putting the database. You may have to create /data/db directory, you will get an error that looks like this:
Open a browser and see if the web ui is working:
Install and configure Passenger:
Note: There is currently a bug with passenger-3.0.19 and ruby-2.0.0 if you run passenger-install-apache2-module you will get compilation errors. See this github issue
If they’ve fixed the passenger bug and you install a version > 3.0.19 then the below doesn’t apply otherwise you can use these steps as a workaround.
To work around the current issue with passenger-3.0.19 you can edit the gempacktask.rb inside the passenger gem:
Delete everything in it and paste the following into it (quick way to delete everything inside vim type: 1000 dd:
Now let’s install the apache module:
Create passenger.conf for httpd:
Paste the text from the end of the passenger-apache2-module install:
Set Permissions and Add Apache to startup and load:
Open a browser and see if the web ui is working:
Technically, you’ve got a working version of Graylog2 setup and working at this point. If you wanted you could start forwarding syslog messages to the Graylog2 Server on port 514 and off you go.
If you would like to setup an AMQP broker so that messages can be queued and add a few useful features (restarting graylog2-server without losing syslog messages), read further and see how it’s setup.
Setup AMQP (RabbitMQ):
I’m going to be using RabbitMQ as our AMQP broker, you can use others if you wish.
Install RabbitMQ:
rabbitmq-server-3.1.0-1.noarch.rpm
Get RabbitMQAdmin:
Start Rabbit and add to Startup:
Create RabbitMQ Users and Exchanges for Graylog to use, here is the link to the official docs for reference:RabbitMQ Management
Edit the graylog2.conf to enable AMQP:
Monitor the Graylog2.log file for this next part, as you will immediately see java errors if something isn’t setup right (ignore the plugin errors):
Go to the Graylog2 Web Interface > Settings > AMQP:
Add new configurations with these parameters there
- Exchange:
- Routing key:
- TTL:
- Type:
If no errors in the graylog2.log file and the web ui says added successfully. Look under Server Health on the web ui home page:
Setup the new Graylog2-Radio: Official Documentation
Edit the init script, add the comments at the top for chkconfig and change a couple paths:
Edit the Graylog2-Radio Inputs:
Start Graylog2-Radio:
You can monitor the log file to see if its working at:
If everything is working correctly:
Add Graylog2-Radio to Startup:
Change rsyslog to forward to Graylog2 port:
At the very bottom of the file:
Of course this is by far the simplest method of getting all this working. Some other things you can do is add more exchanges for your applications, just don’t forget to setup the corresponding nodes in the graylog2-web-interface and inside the graylog2-radio inputs config file.
I ran through this entire setup 3 times and I “think” I got all the errors, but if you run into anything please let me know!
Side note: Stream Dashboards seem broken in 0.10.2 of the web-interface
RabbitMQ 설치 관련 오류
yum install libcom 설치
RabbitMQ 설치 오류 메시지 처리 방법
Database Hang (/var/log/rabbitmq/startup_log)
- /var/lib/rabbitmq/mnsia 디렉토리 삭제 후 재시작
Network Startup Failed
- rabbitmq could not start tcp listener
- netstat -nlp 로 tcp 5672 사용 데몬 확인
As in most cases I'm sure, this issue was caused by a misunderstanding on my part. RHEL provides an amqp server called Qpid which was already running. Since I thought that epmd was running on 5672, I missed the listing for ampq/Qpid in
etstat (not a fan of symbolic ports in the output now).
Stopping the Qpid service corrects the problem.
# service qpidd stop & chkconfig --del qpidd
Client SYSLOG 연동 : 기본 시스로그로 연동 시 graylog2에서 host field 값에 프로세스명이 찍히는 버그 발생. 아래의 rsyslog 설치 후 셋팅 진행하도록 workarround.
/etc/rsyslog.conf:
$template GRAYLOG2,"<%PRI%>%HOSTNAME% %TIMESTAMP% %syslogtag% %APP-NAME% %msg%\n"
$ActionForwardDefaultTemplate GRAYLOG2
*.* @graylog-server
/etc/sysconfig/rsyslogd.conf
SYSLOGD_OPTIONS="-c2 -m 0 -r514"
'03.APPLICATION ============= > 03.로그통합' 카테고리의 다른 글
[로그통합]로그 파싱 관련 (0) | 2013.05.21 |
---|---|
[로그통합]JBOSS parsing (0) | 2013.05.20 |
[로그통합]Weblogic logs using Logstash and Graylog2 (0) | 2013.05.20 |
[로그통합]logstash + graylog2 (0) | 2013.05.20 |