elk: graylog config - Githubissues

hhstore / blog

My Tech Blog: about Mojo / Rust / Golang / Python / Kotlin / Flutter / VueJS / Blockchain etc.

280 stars 23 forks source link

部署方案参考:

https://thehftguy.com/2016/09/12/250-gbday-of-logs-with-graylog-lessons-learned/
部署架构图

默认密码修改:

http://blog.51cto.com/cloudman/1980504
--link 参数让 Graylog 容器能够用主机名 mongo 和 elasticsearch 访问 MongoDB 和 Elasticsearch 的服务。
-p 9000:9000 映射 Graylog 的 Web 服务端口 9000。
-p 12201:12201/udp 映射 Graylog 接收日志数据的 UDP 端口 12201。
容器启动后，在 Web 浏览器中访问 http://[Docker Host IP]:9000
用户名/密码 = admin/admin
登录后显示 Getting Started 页面。

GRAYLOG_WEB_ENDPOINT_URI 指定 Graylog 的 Web 访问 URI，请注意这里需要使用 Docker Host 的外部 IP（在实验环境中为 192.168.56.101）。

GRAYLOG_ROOT_PASSWORD_SHA2 指定 Graylog 管理员用户密码的哈希值，在这个例子中密码为 admin。可以通过如下命令生成自己的密码哈希，比如：

echo -n yourpassword | shasum -a 256

日志配置注意:

配置多个 log 接收端口:
- 12201/udp:12201/udp"
- "12202/udp:12202/udp"
- 对应多个 input, 区分数据源

fix:

web UI 访问, 必须配置公网IP, or 域名. 不可用是内网IP.

定制化配置:

进入容器, 拷贝出配置文件, 再挂载进去

$ docker exec -ti root_graylog_1 bash

root@e76f6e178420:/usr/share/graylog# pwd
/usr/share/graylog

root@e76f6e178420:/usr/share/graylog# ls data/config/
graylog.conf  log4j2.xml  node-id

# 配置目录
$ ls /data/config

graylog.conf  log4j2.xml  node-id

# docker-compose 映射
#- /graylog/config:/usr/share/graylog/data/config

# 重启:
docker-compose up -d

ref:

http://www.ywnds.com/?p=7705

graylog:

cat docker-compose.yml

graylog 必须是公网IP, or 公网 URL 域名.

version: '2' services: # MongoDB: https://hub.docker.com/_/mongo/ mongodb: image: mongo:3 volumes: - mongo_data:/data/db # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/docker.html elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:5.6.3 volumes: - es_data:/usr/share/elasticsearch/data environment: - http.host=0.0.0.0 - transport.host=localhost - network.host=0.0.0.0 # Disable X-Pack security: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/security-settings.html#general-security-settings - xpack.security.enabled=false # 10g = 10240 - "ES_JAVA_OPTS=-Xms10240m -Xmx10240m" ulimits: memlock: soft: -1 hard: -1 mem_limit: 12g # Graylog: https://hub.docker.com/r/graylog/graylog/ graylog: image: graylog/graylog:2.4.0-1 volumes: - graylog_journal:/usr/share/graylog/data/journal environment: # CHANGE ME! - GRAYLOG_PASSWORD_SECRET=somepasswordpepper # Password: admin - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 # 172.31.45.240 #- GRAYLOG_WEB_ENDPOINT_URI=http://172.31.45.240:19100/api - GRAYLOG_WEB_ENDPOINT_URI=http://elk.btcc.online/api links: - mongodb:mongo - elasticsearch depends_on: - mongodb - elasticsearch ports: # Graylog web interface and REST API - 19100:9000 # Syslog TCP - 514:514 # Syslog UDP - 514:514/udp # GELF TCP - 12201:12201 # GELF UDP - 12201:12201/udp # Volumes for persisting data, see https://docs.docker.com/engine/admin/volumes/volumes/ volumes: mongo_data: driver: local es_data: driver: local graylog_journal: