navigation
Home
admin
|
graylog2
October 18th, 2016
|
| Table des matières |  |
Introduction
Installation préalable
Installation de Elasticsearch
Installation de MongoDB
Installation de Graylog2
Installation de Graylog2 Web interface
Script de démarrage
Configuration des clients rsyslog
Documentations diverses
Problèmes
| Introduction | |
| Installation préalable | |
apt-get install apt-get install openjdk-7-jre openjdk-7-jre-headless |
| Installation de Elasticsearch | |
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-0.90.12.tar.gz
tar zxf elasticsearch-0.90.12.tar.gz
mv elasticsearch-0.90.12 /opt
cd /opt
ln -s elasticsearch-0.90.12 elasticsearch |
 Adapter le fichier /opt/elasticsearch-0.90.12/bin/elasticsearch
Lancer le serveur
/opt/elasticsearch/bin/elasticsearch |
(avec l'option -f pour le lancer en foreground)
| Installation de MongoDB | |
wget http://downloads.mongodb.org/linux/mongodb-linux-x86_64-latest.tgz
tar zxf mongodb-linux-x86_64-latest.tgz
mv mongodb-linux-x86_64-057a542daf11a62c1f57b3b406cb8fd33804a831-2014-03-11 /opt/mongodb
mkdir /data/db
chown graylog:graylog /data/db |
Lancer le serveur
sudo -u graylog /opt/mongodb/bin/mongod & |
| Installation de Graylog2 | |
Source : http://support.torch.sh/help/kb/graylog2-server/installing-graylog2-server-v020x-on-nix-systems
wget https://github.com/Graylog2/graylog2-server/releases/download/0.20.1/graylog2-server-0.20.1.tgz
tar zxf graylog2-server-0.20.1.tgz
mv graylog2-server-0.20.1 /opt
cd /opt
ln -s graylog2-server-0.20.1 graylog2 |
Adapter le fichier de conf
cp graylog2/graylog2.conf.example /etc/graylog2.conf
vi /etc/graylog2.conf |
| Installation de Graylog2 Web interface | |
tar zxf graylog2-web-interface-0.20.1.tgz
mv graylog2-web-interface-0.20.1 /opt/
cd /opt
ln -s graylog2-web-interface-0.20.1 graylog2-web |
Adapter le fichier de conf
vi graylog2-web/conf/graylog2-web-interface.conf |
Source : http://support.torch.sh/help/kb/graylog2-web-interface/installing-graylog2-web-interface-v020x-on-nix-systems
| Script de démarrage | |
 insserv graylog2
#! /bin/sh
### BEGIN INIT INFO
# Provides: graylog2
# Required-Start: $local_fs $remote_fs
# Required-Stop:
# X-Start-Before:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: lancement de graylog2 by B Richard
# Description: lancement de graylog2 by B Richard
### END INIT INFO
case "$1" in
start)
# demarrage de la BD elasticsearch
/opt/elasticsearch/bin/elasticsearch
# en cas de besoin de debug :
# /opt/elasticsearch/bin/elasticsearch -f
sleep 2
# demarrage de la BD mongod
sudo -u graylog /opt/mongodb/bin/mongod --logpath /var/log/mongod/mongod.log &
sleep 2
# demarrage du serveur graylog
cd /opt/graylog2
java -jar graylog2-server.jar 2> /opt/graylog2-server-0.20.1/log/graylog2-server.err > /opt/graylog2-server-0.20.1/log/graylog2-server.log &
# en cas de besoin de debug :
# java -jar graylog2-server.jar --debug
sleep 5
# demarrage de l'interface Web
cd /opt/graylog2-web
./bin/graylog2-web-interface 2> /opt/graylog2-web/logs/graylog2-web-interface.err > /opt/graylog2-web/logs/graylog2-web-interface.log &
;;
stop)
pkill -f graylog2-web-interface
pkill -f graylog2-server.jar
sleep 1
pkill -f /opt/mongodb/bin/mongod
sleep 1
pkill -f elasticsearch
;;
*)
echo "Usage: $N {start|stop}" >&2
exit 1
;;
esac
exit 0 |
| Configuration des clients rsyslog | |
UDP
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%n"
*.* @graylog2.example.org:514;GRAYLOGRFC5424 |
TCP
$template GRAYLOGRFC5424,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%n" *.* @@graylog2.example.org:514;GRAYLOGRFC5424 |
| Documentations diverses | |
http://wiki.monitoring-fr.org/infra/graylog2
http://filsbak.free.fr/index.php?app=tutoriels&ctrl=index&act=view&id=6
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-configuration.html
| Problèmes | |
 Invalid source
Lorsque s'affichent les messages, la source n'est pas toujours bien identifiée : le champ choisi par graylog2 n'est pas le bon.
Solution :
"Have your linux hosts send syslog to rsyslog on your graylog2 server and configure rsyslog to rewrite the messages and then forward to graylog. it works great and is especially useful for ESXi as well.
the rules for rsyslog are like this."
$template GRAYLOG24,"<%pri%>%protocol-version% %timestamp% %HOSTNAME% %app-name% %procid% %msg%\n"
$PreserveFQDN on
*.* @10.165.1.1:1514;GRAYLOG24 |
Je récupère donc les messages via le rsyslog de ma debian. Je les reformate et je les renvoie à graylog2.
A noter :
syslog input is missing the hostname field !
that is most likely caused by non-compliant (RFC) syslog messages.
Especially appliances and network hardware tend to do that.
However v0.20.0 brings extractors which allow you to parse any text
input yourself. Just send those syslog messages to a Raw/Plaintext UDP
Input instead of the syslog input and use extractors to extract the
relevant information into fields. You can find a screencast of the
extractors in action here: http://www.youtube.com/watch?v=DEReadkHf2Y
Let me know if you need help with anything.
Source : http://grokbase.com/t/gg/graylog2/13bf0maj8t/0-20-0-preview-6-syslog-input-is-missing-the-hostname-field
Finalement je fais cette conf :
$template GRAYLOG24,"<%PRI%>1 %timegenerated:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msg%n"
$PreserveFQDN on
*.* @10.165.1.1:1514;GRAYLOG24 |
timereported is the time that the client put in the log (with whatever
precision and timezone that the client reported it in)
timegenerated is the timestamp that the server received the log (high
precision timestamp in the server's timezone)
timegenerated permet d'avoir une date uniforme quel que soit le client.
|
|
Contact
|
|---|
Pour m'envoyer un mail,
Pour me laisser un commentaire :richard.brunooo
chez
gmail.com |  |
|
|