一、环境准备
1. 系统配置
bash# 系统参数优化
cat >> /etc/sysctl.conf << EOF
vm.max_map_count=262144
fs.file-max=65536
EOF
sysctl -p
# 安装依赖
apt update
apt install -y openjdk-11-jdk pwgen
2. MongoDB安装
bash# 安装MongoDB
apt install -y mongodb-server
# 启动服务
systemctl start mongodb
systemctl enable mongodb
# 验证服务
mongosh --eval "db.version()"
二、Elasticsearch配置
1. 安装设置
bash# 添加Elasticsearch源
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
# 安装Elasticsearch
apt update
apt install -y elasticsearch
2. 配置优化
yaml# /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
node.name: graylog-node1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200
discovery.type: single-node
三、Graylog安装
1. 基础安装
bash# 下载并安装Graylog
wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
dpkg -i graylog-4.3-repository_latest.deb
apt update
apt install -y graylog-server
2. 配置文件
properties# /etc/graylog/server/server.conf
password_secret = $(pwgen -s 96 1)
root_password_sha2 = $(echo -n "Enter Password" | shasum -a 256 | cut -d" " -f1)
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://localhost:9200
mongodb_uri = mongodb://localhost:27017/graylog
四、输入配置
1. Syslog输入
json{
"title": "Syslog UDP",
"type": "org.graylog2.inputs.syslog.udp.SyslogUDPInput",
"global": true,
"configuration": {
"port": 1514,
"bind_address": "0.0.0.0"
}
}
2. GELF输入
json{
"title": "GELF TCP",
"type": "org.graylog2.inputs.gelf.tcp.GELFTCPInput",
"global": true,
"configuration": {
"port": 12201,
"bind_address": "0.0.0.0"
}
}
五、日志处理规则
1. 提取字段
javarule "Extract Application Name"
when
has_field("message")
then
let application = regex("\\[([^\\]]+)\\]", to_string($message.message));
set_field("application_name", application);
end
2. 消息过滤
javarule "Filter Debug Messages"
when
has_field("level") && to_string($message.level) == "DEBUG"
then
drop_message();
end
六、告警配置
1. 告警条件
json{
"type": "message_count",
"title": "High Error Rate",
"parameters": {
"grace": 10,
"threshold_type": "more",
"threshold": 100,
"time": 5
}
}
2. 通知设置
json{
"type": "email",
"title": "Email Alert",
"configuration": {
"sender": "graylog@example.com",
"subject": "Graylog Alert: ${alert_condition.title}",
"user_receivers": ["admin@example.com"]
}
}
七、性能优化
1. Java配置
bash# /etc/default/graylog-server
JAVA_OPTS="-Xms2g -Xmx4g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC"
2. 索引优化
properties# server.conf
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
elasticsearch_shards = 4
elasticsearch_replicas = 0
最佳实践建议
- 数据收集
- 合理规划输入
- 配置解析规则
- 优化字段提取
- 管理数据流向
- 性能管理
- 监控系统资源
- 优化索引设置
- 配置数据留存
- 管理消息队列
- 运维建议
- 定期备份数据
- 监控服务状态
- 清理过期日志
- 优化查询性能
本指南为您提供了在云服务器上部署Graylog日志分析平台的完整方案。记住,日志分析系统的配置需要根据实际业务需求不断调整和优化。
重要提示:
- 定期更新版本
- 监控存储容量
- 优化查询效率
- 做好数据备份
对于生产环境的Graylog系统,建议建立完善的监控机制,确保系统的稳定运行。同时,要注意数据安全和隐私保护,合理配置访问权限和数据保留策略。