Graylog是一个openSource日志聚合和管理工具，可用于存储，分析和发送收集的日志。
Graylog可用于使用Elasticsearch和MongoDB分析结构化和非结构化的日志。
这包括各种系统，包括Windows系统，Linux系统，不同的应用程序和微服务等。

Graylog可以更轻松地轻松分析，并从单个主机中监控这些系统和应用程序。

Graylog具有以下组件：

Graylog servermongodbelasticsearch.

让我们在Ubuntu 20.04主机上迅速跳转到Graylog服务器的安装。
然后，我们将使用Let'Sencrypt配置SSL。

为实现这一目标，我们需要安装Nginx作为我们系统的反向代理。

准备工作

之前，我们可以在你的机器上安装，请确保主机满足以下最低要求：4个CPU Cores8 GB RAMSSD硬盘空间高IOPS的Elasticsearch登录StorageUbuntu 20.04 LTS安装和升级的updated.All包

通过满足上述条件，让我们开始安装过程。

第1步 - 在Ubuntu 20.04上安装Java

Graylog安装需要Java版本8及更高版本。
在这篇文章中，我们将使用Open JDK 11

sudo apt update
sudo apt install -y apt-transport-https openjdk-11-jre-headless uuid-runtime pwgen curl dirmngr

我们可以验证我们刚使用的Java版本 java -version命令：

$java -version
openjdk version "11.0.9" 2017-10-20
OpenJDK Runtime Environment (build 11.0.9+11-Ubuntu-0ubuntu1.20.04)
OpenJDK 64-Bit Server VM (build 11.0.9+11-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)

第2步 - 在Ubuntu 20.04上安装Elasticsearch

弹性搜索是用于存储和分析来自外部源的传入日志的工具。
它使用基于Web的RESTful API。

下载并安装Elasticsearch GPG签名密钥。

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add 

将Elasticsearch存储库添加到来源列表中：

echo "deb https://artifacts.elastic.co/packages/oss-6.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-6.x.list

安装Elasticsearch：

sudo apt update
sudo apt install -y elasticsearch-oss

配置灰度的群集名称。

sudo vim /etc/elasticsearch/elasticsearch.yml

编辑群集名称 graylog

cluster.name: graylog

将以下信息添加在同一个文件

action.auto_create_index: false

重新加载守护守护守护守护程序启动Elasticsearch服务。

sudo systemctl daemon-reload
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

我们可以通过以下方式查看服务的状态：

$systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2017-11-08 12:36:10 UTC; 14s ago
       Docs: http://www.elastic.co
   Main PID: 1352139 (java)
      Tasks: 15 (limit: 4582)
     Memory: 1.1G
     CGroup: /system.slice/elasticsearch.service
             └─1352139 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Des.>
Nov 08 12:36:10 graylog.theitroad.com systemd[1]: Started Elasticsearch.

Elasticsearch在端口9200上运行，这可以致命 curl命令：

curl -X GET http://localhost:9200

我们应该在输出中看到群集名称。

$curl -X GET http://localhost:9200
{
  "name" : "RQ7y68X",
  "cluster_name" : "graylog",
  "cluster_uuid" : "Dp948OGjT-uFz_LuOiW6ng",
  "version" : {
    "number" : "6.8.13",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "be13c69",
    "build_date" : "2017-10-16T09:09:46.555371Z",
    "build_snapshot" : false,
    "lucene_version" : "7.7.3",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

第3步 - 在Ubuntu 20.04上安装MongoDB

从Ubuntu的基础存储库下载并安装MongoDB。

sudo apt update
sudo apt install -y mongodb-server

开始MongoDB.

sudo systemctl start mongodb
sudo systemctl enable mongodb

$systemctl status mongodb
● mongodb.service - An object/document-oriented database
     Loaded: loaded (/lib/systemd/system/mongodb.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2017-11-08 12:45:21 UTC; 1s ago
       Docs: man:mongod(1)
   Main PID: 1352931 (mongod)
      Tasks: 3 (limit: 4582)
     Memory: 27.9M
     CGroup: /system.slice/mongodb.service
             └─1352931 /usr/bin/mongod --unixSocketPrefix=/run/mongodb --config /etc/mongodb.conf
Nov 08 12:45:21 graylog.theitroad.com systemd[1]: Started An object/document-oriented database.

第4步 - 在Ubuntu 20.04安装Graylog服务器

下载和配置Grayllog存储库。

wget https://packages.graylog2.org/repo/packages/graylog-3.3-repository_latest.deb
sudo apt install ./graylog-3.3-repository_latest.deb

安装Graylog Server：

sudo apt update
sudo apt install -y graylog-server

生成使用秘密以使用用户密码 pwgen命令

pwgen -N 1 -s 96

输出应该如下所示：

FFP3LhcsuSTMgfRvOx0JPcpDomJtrxovlSrbfMBG19owc13T8PZbYnH0nxyIfrTb0ANwCfH98uC8LPKFb6ZEAi55CvuZ2Aum

编辑Graylog Config文件以添加我们刚刚创建的秘密：

sudo vim /etc/graylog/server/server.conf

找到 password_secret =在它之后添加上述创建的秘密。

password_secret= FFP3LhcsuSTMgfRvOx0JPcpDomJtrxovlSrbfMBG19owc13T8PZbYnH0nxyIfrTb0ANwCfH98uC8LPKFb6ZEAi55CvuZ2Aum

还会将以下行添加到 /etc/graylog/server/server.conf文件

rest_listen_uri = http://127.0.0.1:9000/api/
web_listen_uri = http://127.0.0.1:9000/

下一步是为管理员创建一个Hash Sha256 Pasword。
这是我们需要登录Web界面的密码。

echo -n Str0ngPassw0rd | sha256sum

将"str0ngpassw0rd"替换为我们选择的密码。

我们将获得此类

e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

编辑 /etc/graylog/server/server.conf文件然后将哈希密码放在 root_password_sha2 =

sudo vi /etc/graylog/server/server.conf

root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951

Tryhlog现在已配置并准备使用。

启动Graylog服务：

sudo systemctl daemon-reload
sudo systemctl start graylog-server
sudo systemctl enable graylog-server

我们可以检查服务是否已从日志中成功启动：

sudo tail -f /var/log/graylog-server/server.log

2017-11-08T13:37:55.067Z INFO  [ServerBootstrap] Graylog server up and running.

第5步 - 使用Let’s Encrypt 的设置SSL

下一步是配置SSL，以便我们可以通过HTTPS访问Graylog Web界面。

为实现这一目标，我们需要以下内容：完全限定域名(FQDN)Nginxlet'Sencrypt证书

使用以下步骤安装和配置ngiinx.update系统并安装nginx

sudo apt-get update
sudo apt install nginx

2.配置防火墙

sudo ufw allow 'Nginx Full'

3.使用域名创建VirtualHost

创建文件 /etc/nginx/sites-available/例如

sudo vim /etc/nginx/sites-available/graylog.yourdomain.com.conf

在文件中添加以下内容：

server {
  listen 80;
  server_name           graylog.yourdomain.com;
  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/graylog.yourdomain.com.access.log combined;
  error_log             /var/log/nginx/graylog.yourdomain.com.error.log;
}

请记住使用FQDN替换Graylog.yourdomain.com。

4.创建刚刚创建的文件的符号链接 /etc/nginx/sites-available到 /etc/nginx/sites-enabled

sudo ln -s /etc/nginx/sites-available/graylog.yourdomain.com.conf /etc/nginx/sites-enabled/

5.检查nginx配置是否正常运行 nginx -t命令。

$sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

6.使用Certbot安装Let'Sencrypt。

sudo apt install certbot python3-certbot-nginx

7.为nginx运行certbot

$sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): Hyman@theitroad
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2016.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
(Y)es/(N)o: N
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
1: graylog.theitroad.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for graylog.theitroad.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/graylog.theitroad.com.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/graylog.theitroad.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Congratulations! You have successfully enabled
https://graylog.theitroad.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=graylog.theitroad.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/graylog.theitroad.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/graylog.theitroad.com/privkey.pem
   Your cert will expire on 2021-02-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG/Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

我们已成功获得了我们域的SSL。

下一步是在NGINX上配置反向代理，该代理将用于服务于在端口9000上的同一主机上运行的Graylog。

编辑 /etc/nginx/sites-available/graylog.yourdomain.com.conf文件并添加以下配置 Location部分。

location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/;
      proxy_pass       http://127.0.0.1:9000;
    }

最终配置文件应如下所示：

server {
  listen 80;
  server_name           graylog.theitroad.com;
  return 301            https://$host$request_uri;
  access_log            /var/log/nginx/graylog.theitroad.com.access.log combined;
  error_log             /var/log/nginx/graylog.theitroad.com.error.log;
}
server {
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        server_name graylog.theitroad.com;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/graylog.theitroad.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/graylog.theitroad.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location /
    {
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Graylog-Server-URL https://$server_name/;
      proxy_pass       http://127.0.0.1:9000;
    }
}

使用验证nginx配置 nginx -t只是为了确保nginx配置可以。

现在重新启动nginx服务。

sudo systemctl restart nginx

通过以上运行，我们应该能够通过输入来访问Graylog仪表板 https://graylog.yourdomain.com。

记得替换 graylog.yourdomain.com用你的fqdn。

Graylog的默认用户名是admin和我们在上面的步骤4(安装Graylog Server)中配置的密码。

我们现在可以使用使用SSL配置的Graylog Web仪表板开始。