Bootstrap

graylog实现日志监控

graylog

graylog是一个轻量级的日志管理工具,依托elasticsearch作为日志存储中间件,MongoDB作为元数据信息存储中间件.自带WEB-UI界面,LDAP整合各种日志类型.提供了日志收集、日志查询、监控告警等相关功能。提供了graylog sidecar通过sidecar模式可以很方便的收集目标主机、容器的各种日志信息,无缝整合filebeat。搜索语法跟kibana类似,自带简单的监控告警功能提供了webhook email等方式。

部署

官方提供了docker docker-compose 手动部署等模式可供用户自行选择
本次采用docker部署

  1. graylog依赖了ES和MongoDB 需要提前将ES 和 MongoDB部署完成并且保持与graylog之间网络互通

  2. 生成**password_secret** 和 root_password_sha2

    #password 需要至少64位的随机数即可 如果有多个节点graylog需要保证password_secret是一致的
    pwgen -N 1 -s 96
    # root_password_sha2 作为WEB-UI 的管理员密码 默认用户名admin
    echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
    
    
  3. 采用docker部署

    docker run
    -p 9000:9000 -p 12201:12201 -p 1514:1514 -p 5555:5555  -p 5044:5044
    -e GRAYLOG_HTTP_EXTERNAL_URI="http://127.0.0.1:9000/"
    -e GRAYLOG_IS_MASTER="true"
    -e GRAYLOG_PASSWORD_SECRET="填入上面生成的password_secret"
    -e GRAYLOG_ROOT_PASSWORD_SHA2="填入上面生成的root_password"
    -e GRAYLOG_ELASTICSEARCH_HOSTS="http://username:[email protected]:9200"
    -e GRAYLOG_MONGODB_URI="mongodb://10.60.36.230:27017/graylog"
    -e GRAYLOG_ROOT_TIMEZONE=Asia/Shanghai
    --name=graylog
    -d graylog/graylog:5.0
    
  4. 访问graylog WEB-UI localhost:9000 默认端口9000 输入用户名admin和上面设置的root_password密码的原文

    image-20230413151634586

此上graylog-server部署完成

graylog sidecar

sidecar类似一个agent的模式作为日志的采集者发送数据给graylog-server也是官方比较推荐的一种日志收集方式

  1. 选择符合graylog-server版本的 sidecar https://go2docs.graylog.org/5-0/getting_in_log_data/graylog_sidecar.html?tocpath=Getting%20in%20Log%20Data%7CGraylog%20Sidecar%7C_____0

  2. 以windows为例 其他安装参考官方文档

  3. 通过WEB-UI 生成一个API token

    image-20230413152109419

  4. 根据步骤逐步安装 修改graylog API的URL 和刚刚生成API token 还有实例名称(默认用hostname)

    image-20230413155915359

  5. 如果上述配置错了可以再 C:\\Program Files\\Graylog\\sidecar\\sidecar.yml. 修改其中的配置重启

  6. 此时可以在WEB-UI看见sidecar

    image-20230413160202354

  7. 添加INPUT BEAT数据源

    image-20230413160238602

    image-20230413160353088

  8. 配置sidecar的configuration抓取规则 选择collector收集器为filebeat 下方输入filebeat的抓取配置规则

    image-20230413160756557

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["localhost:5044"]
path:
  data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\filebeat"}\data
  logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs
tags:
 - windows
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - C:\Users\admin\Desktop\test_log\info/*.log
  multiline.pattern: '^20'                    #多行匹配规则
  multiline.negate: true                    #将不匹配的规则的行合并在一起
  multiline.match: after                #合并到匹配规则的上一行末尾
  tags: ["demo","info"]

- type: log
  enabled: true
  paths:
    - C:\Users\admin\Desktop\test_log\*-error-*.log
  multiline.pattern: '^20'                    #多行匹配规则
  multiline.negate: true                    #将不匹配的规则的行合并在一起
  multiline.match: after                #合并到匹配规则的上一行末尾
  tags: ["demo","error"]
 
  1. 下发filebeat的配置文件 Assign Configuration 并且执行 Process

    image-20230413161148481

  2. 选择sidecar Show messages 查看日志

    image-20230413162138531

    image-20230413162144915

配置graylog 日志告警

  1. 选择顶部导航栏Alerts 选择 Notification 添加通知渠道

    image-20230413162625947

  2. 选择添加一个web hook的通知渠道

    image-20230413162830681

  3. 选择顶部导航栏Alerts 选择Event Definition 创建一个事件定义

    image-20230413162434446

  4. 根据提示步骤 定义事件基础信息 描述 级别

image-20230413163308519

  1. 配置filter 核心需要配置Search Query 规则 右侧可以返回Search Query返回的数据

    image-20230413163430327

  2. 配置执行调度时间等规则

  3. 自定义字段如有需要的话

    image-20230413163539987

  4. 选择之前配置的通知渠道 选择message backlog 会最终通知到webhook的backlog字段中 包含了消息原文信息 建议配置 grace period 配置安静期避免告警风暴

    image-20230413163755980

  5. 查看配置概述 没问题选择Update event definition

    image-20230413163822478

  6. 发送ERROR日志查看webhook接口的告警

    返回json报文示例

    {
        "event_definition_id": "643775ac247b2e0934262df5",
        "event_definition_type": "aggregation-v1",
        "event_definition_title": "demo-error-log-alert",
        "event_definition_description": "",
        "job_definition_id": "6437759a247b2e0934262dcd",
        "job_trigger_id": "6437bfc8247b2e093426c914",
        "event": {
            "id": "01GXWWA9QSVY0G89SMD94YB0W2",
            "event_definition_type": "aggregation-v1",
            "event_definition_id": "643775ac247b2e0934262df5",
            "origin_context": "urn:graylog:message:es:graylog_0:a5250950-d9d6-11ed-bcc0-0242ac110002",
            "timestamp": "2023-04-13T08:38:54.824Z",
            "timestamp_processing": "2023-04-13T08:39:36.441Z",
            "timerange_start": null,
            "timerange_end": null,
            "streams": [
                
            ],
            "source_streams": [
                "000000000000000000000001"
            ],
            "message": "demo-error-log-alert",
            "source": "1ac9b7a6d52e",
            "key_tuple": [
                
            ],
            "key": "",
            "priority": 3,
            "alert": true,
            "fields": {
                
            },
            "group_by_fields": {
                
            }
        },
        "backlog": [
            {
                "index": "graylog_0",
                "message": "2023-04-13 16:38:54.824 -- [demo1] -- ERROR 14996 --- [http-nio-4100-exec-5] [] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is java.lang.ArithmeticException: / by zero] with root cause\n\njava.lang.ArithmeticException: / by zero\n\tat com.corn.controller.LogController.error(LogController.java:26)\n\tat sun.reflect.GeneratedMethodAccessor72.invoke(Unknown Source)\n\tat sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n\tat java.lang.reflect.Method.invoke(Method.java:498)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)\n\tat org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)\n\tat org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)\n\tat org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)\n\tat org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)\n\tat org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067)\n\tat org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963)\n\tat org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)\n\tat org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:655)\n\tat org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)\n\tat javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:889)\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743)\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\n\tat java.lang.Thread.run(Thread.java:748)",
                "fields": {
                    "filebeat_log_offset": 186267,
                    "filebeat_agent_name": "LAPTOP-1BQNQ8EO",
                    "gl2_remote_ip": "172.17.0.1",
                    "gl2_remote_port": 59776,
                    "filebeat_agent_hostname": "LAPTOP-1BQNQ8EO",
                    "beats_type": "filebeat",
                    "gl2_source_input": "64377490247b2e0934262b8e",
                    "filebeat_@metadata_beat": "filebeat",
                    "filebeat_@timestamp": "2023-04-13T08:38:54.824Z",
                    "filebeat_agent_type": "filebeat",
                    "filebeat_@metadata_version": "7.11.1",
                    "filebeat_host_name": "LAPTOP-1BQNQ8EO",
                    "gl2_source_node": "95acd4bd-4f23-40de-a422-5274f220a40a",
                    "filebeat_agent_version": "7.11.1",
                    "filebeat_agent_ephemeral_id": "d5392ef5-44f5-4d83-9007-1c947788c0f2",
                    "gl2_accounted_message_size": 5774,
                    "gl2_source_collector": "41e84e5f-67c5-422f-8fb0-a5205146cd4b",
                    "filebeat_input_type": "log",
                    "gl2_message_id": "01GXWW99K54AZYA4JCYQ0CT0ZG",
                    "filebeat_tags": [
                        "windows",
                        "demo",
                        "error"
                    ],
                    "filebeat_ecs_version": "1.6.0",
                    "filebeat_collector_node_id": "LAPTOP-1BQNQ8EO",
                    "filebeat_@metadata_type": "_doc",
                    "filebeat_log_time": "2023-04-13 16:38:54.824",
                    "filebeat_agent_id": "4b8086ce-67f1-4aec-b93b-723744d56ab3",
                    "filebeat_log_file_path": "C:\\Users\\JimWu\\Desktop\\test_log\\demo1-error-2023-04-13-0.log",
                    "filebeat_log_flags": [
                        "multiline"
                    ]
                },
                "id": "a5250950-d9d6-11ed-bcc0-0242ac110002",
                "source": "LAPTOP-1BQNQ8EO",
                "timestamp": "2023-04-13T08:38:54.824Z",
                "stream_ids": [
                    "000000000000000000000001"
                ]
            }
        ]
    }
    
;