一、环境准备

1. 系统配置

bash
# 系统参数优化
cat >>/etc/sysctl.conf << EOF
vm.max_map_count=262144
fs.file-max=65536
EOF

sysctl -p

# 安装依赖
apt update
apt install -y openjdk-11-jdk pwgen

2. MongoDB安装

bash
# 安装MongoDB
apt install -y mongodb-server

# 启动服务
systemctl start mongodb
systemctl enable mongodb

# 验证服务
mongosh --eval"db.version()"

二、Elasticsearch配置

1. 安装设置

bash
# 添加Elasticsearch源
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main"| tee /etc/apt/sources.list.d/elastic-7.x.list

# 安装Elasticsearch
apt update
apt install -y elasticsearch

2. 配置优化

yaml
# /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
node.name: graylog-node1
path.data:/var/lib/elasticsearch
path.logs:/var/log/elasticsearch
http.port:9200
discovery.type: single-node

三、Graylog安装

1. 基础安装

bash
# 下载并安装Graylog
wget https://packages.graylog2.org/repo/packages/graylog-4.3-repository_latest.deb
dpkg -i graylog-4.3-repository_latest.deb
apt update
apt install -y graylog-server

2. 配置文件

properties
# /etc/graylog/server/server.conf
password_secret = $(pwgen -s 961)
root_password_sha2 = $(echo -n "Enter Password"| shasum -a 256| cut -d" "-f1)
http_bind_address =0.0.0.0:9000
elasticsearch_hosts = http://localhost:9200
mongodb_uri = mongodb://localhost:27017/graylog

四、输入配置

1. Syslog输入

json
{
"title":"Syslog UDP",
"type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput",
"global":true,
"configuration":{
"port":1514,
"bind_address":"0.0.0.0"
}
}

2. GELF输入

json
{
"title":"GELF TCP",
"type":"org.graylog2.inputs.gelf.tcp.GELFTCPInput",
"global":true,
"configuration":{
"port":12201,
"bind_address":"0.0.0.0"
}
}

五、日志处理规则

1. 提取字段

java
rule "Extract Application Name"
when
    has_field("message")
then
let application = regex("\\[([^\\]]+)\\]", to_string($message.message));
    set_field("application_name", application);
end

2. 消息过滤

java
rule "Filter Debug Messages"
when
    has_field("level")&& to_string($message.level)=="DEBUG"
then
    drop_message();
end

六、告警配置

1. 告警条件

json
{
"type":"message_count",
"title":"High Error Rate",
"parameters":{
"grace":10,
"threshold_type":"more",
"threshold":100,
"time":5
}
}

2. 通知设置

json
{
"type":"email",
"title":"Email Alert",
"configuration":{
"sender":"graylog@example.com",
"subject":"Graylog Alert: ${alert_condition.title}",
"user_receivers":["admin@example.com"]
}
}

七、性能优化

1. Java配置

bash
# /etc/default/graylog-server
JAVA_OPTS="-Xms2g -Xmx4g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC"

2. 索引优化

properties
# server.conf
elasticsearch_max_docs_per_index =20000000
elasticsearch_max_number_of_indices =20
elasticsearch_shards =4
elasticsearch_replicas =0