Graylog是一个开源的日志聚合、分析、审计、展现和预警工具。

Centos7.9最小化安装。

1、环境准备Prerequisites
Taking a minimal server setup as base will need this additional packages:

yum install java-1.8.0-openjdk-headless.x86_64

If you want to use pwgen later on you need to Setup EPEL on your system with sudo yum install epel-release and install the package with sudo yum install pwgen.

yum install epel-release

yum install pwgen

2、安装MongoDB
Installing MongoDB on CentOS，add the repository file /etc/yum.repos.d/mongodb-org.repo with the following contents：

vi /etc/yum.repos.d/mongodb-org.repo

[mongodb-org-4.2]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.2/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.2.asc

yum install mongodb-org

systemctl daemon-reload

systemctl enable mongod.service

systemctl start mongod.service

systemctl --type=service --state=active | grep mongod

3、安装Elasticsearch
Graylog can be used with Elasticsearch 7.x, please follow the below instructions to install the open source version of Elasticsearch

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

vi /etc/yum.repos.d/elasticsearch.repo

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

yum install elasticsearch-oss

vi /etc/elasticsearch/elasticsearch.yml

tee -a /etc/elasticsearch/elasticsearch.yml > /dev/null <<EOT
cluster.name: graylog //注意名字
action.auto_create_index: false
EOT

systemctl daemon-reload

systemctl enable elasticsearch.service

systemctl restart elasticsearch.service

systemctl --type=service --state=active | grep elasticsearch

4、安装Graylog
Now install the Graylog repository configuration and Graylog itself with the following commands:

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.1-repository_latest.rpm

yum install graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins

生成admin管理员密码root_password_sha2：

echo -n “Enter Password: " && head -1 </dev/stdin | tr -d ‘\n’ | sha256sum | cut -d” " -f1

Enter Password: 123456 //设置webui登录的admin用户的密码
10220dcccfa5a0fce3ba328b66084df02ab556f8d8a20bab98756c55701bd20d

生成并设置保护密码password_secret：
[root@mlgedoc ~]# pwgen -N -1 -s 40 1
igaeRPrYN7a8E7Bd8XVPJBkzywuf1ro9jY3KA1aU

将管理员密码的哈希结果、保护密码password_secret添加到配置文件，并修改http绑定地址：

vi /etc/graylog/server/server.conf

57 password_secret = igaeRPrYN7a8E7Bd8XVPJBkzywuf1ro9jY3KA1aU
68 root_password_sha2 = 10220dcccfa5a0fce3ba328b66084df02ab556f8d8a20bab98756c55701bd20d
106 http_bind_address = 172.17.1.180:9000

systemctl daemon-reload

systemctl enable graylog-server.service

systemctl start graylog-server.service

systemctl --type=service --state=active | grep graylog

5、配置SELinux information(可选)
If you’re using SELinux on your system, you need to take care of the following settings:
1)、Allow the web server to access the network:

setsebool -P httpd_can_network_connect 1

2)、If the policy above does not comply with your security policy, you can also allow access to each port individually:
Graylog REST API and web interface:

semanage port -a -t http_port_t -p tcp 9000

Elasticsearch (only if the HTTP API is being used):

semanage port -a -t http_port_t -p tcp 9200

3)、Allow using MongoDB’s default port (27017/tcp):

semanage port -a -t mongod_port_t -p tcp 27017

6、web访问
http://172.17.1.180:9000
admin/123456