一、采集环境

   客户环境版本为graylog3.3.8版本，所以测试环境也为部署为graylog3.3.8

   部署环境：centos7.6

   JDK：1.8

   MongoDB：4.x

   Elasticsearch：6.x

二、测试架构

三、部署graylog3.3.8

3.1安装jdk

yum install java-1.8.0-openjdk-headless.x86_64 -y

3.2安装pwgen

yum install epel-release -y

yum install pwgen -y

3.3 安装rsyslog

yum install rsyslog

vim /etc/rsyslog.conf

#配置文件，最后一行添加如下内容，如需转发tcp，则再加一个@

*.* @127.0.0.1:5140

#启动rsyslog

systemctl start rsyslog

3.4 安装mongodb

配置mongodb源：

vim /etc/yum.repos.d/mongodb-org.repo

#添加以下内容

[mongodb-org-4.0]

name=MongoDB Repository

baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/

gpgcheck=1

enabled=1

gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc

#yum安装

yum install mongodb-org -y

#加入开机自启

systemctl daemon-reload

systemctl enable mongod.service

systemctl start mongod.service

3.5 安装es

配置es源：

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

vim /etc/yum.repos.d/elasticsearch.repo

#加入以下参数：

[elasticsearch-6.x]

name=Elasticsearch repository for 6.x packages

baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum

gpgcheck=1

gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch

enabled=1

autorefresh=1

type=rpm-md

#yum安装

yum install elasticsearch-oss -y

#配置es参数：

vim /etc/elasticsearch/elasticsearch.yml

#加入以下参数：

cluster.name: graylog

network.host: 0.0.0.0

http.port: 9200

#加入开机自启：

systemctl daemon-reload

systemctl enable elasticsearch.service

systemctl restart elasticsearch.service

3.6 安装graylog

#配置graylog源：

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.3-repository_latest.rpm

yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins

#使用pwgen生成password_secret密码

pwgen -N 1 -s 96

#root_password_sha2密码字符串

echo -n "Enter Password: " && head -1

#配置graylog配置文件，上面两个密码需要填入

vim /etc/graylog/server/server.conf

#加入配置参数项

root_timezone = Asia/Shanghai

http_bind_address = 0.0.0.0:9000

web_listen_uri = http://0.0.0.0:9000/

rest_listen_uri = http://0.0.0.0:12900/

rest_transport_uri = http://172.16.0.4:12900/

#加入开机自启

systemctl daemon-reload

systemctl enable graylog-server.service

systemctl start graylog-server.service

3.7 安装nginx

注：本地服务器可以不安装

#yum安装

yum install nginx

#修改配置参数

vim /etc/nginx/nginx.conf

server

{

    listen 80 default_server;

    listen [::]:80 default_server ipv6only=on;

    server_name 123.207.230.131;



    location / {

      proxy_set_header Host $http_host;

      proxy_set_header X-Forwarded-Host $host;

      proxy_set_header X-Forwarded-Server $host;

      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_set_header X-Graylog-Server-URL http://$server_name/;

      proxy_pass       http://127.0.0.1:9000;

    }

}

#启动

nginx

3.8 安装logstash

#yum安装

yum install logstash

#修改配置参数

vim /etc/logstash/logstash.conf

# Sample Logstash configuration for creating a simple

# Beats -> Logstash -> Elasticsearch pipeline.



input {

  gelf {

    host => "172.16.0.4"

    port_udp => "5130"

  }

}



output {

  stdout {

    codec => rubydebug

  }

}

#启动logstash：

 /usr/share/logstash/bin/logstash -f /etc/logstash/logstash.conf

四、graylog配置截图与结果图