Graylog-sidecar setup

From TempusServa wiki
Jump to navigation Jump to search

Start i Graylog.

  • Sæt et nyt index op (System > Indices)
  • Sæt et nyt Stream op (Streams)
    • Tilføj en regel om at filebeat_collector_node_id skal matche node_name (sat længere nede)
    • Start stream
  • Opret en server_api_token (System > Users and Teams > Sidecar System User (built-in) > Edit tokens)

Installer sidecar og collector på den nye node

  • Installer graylog-sidecar (original: https://docs.graylog.org/docs/sidecar)
    • sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-sidecar-repository-1-2.noarch.rpm
    • sudo yum install graylog-sidecar
  • Ret opsætningen
    • sudo nano /etc/graylog/sidecar/sidecar.yml
    • Sæt node_name på sidecar.
    • Sæt server_url til https://graylog.tempusserva.dk
    • Sæt server_api_token
    • Sæt send_status til true
    • Tilføj tomcat logs til list_log_files (fx til: “/usr/share/tomcat8/logs/”)
  • Sæt graylog-sidecar til at starte automatisk
    • sudo graylog-sidecar -service install
    • sudo systemctl start graylog-sidecar eller sudo /etc/init.d/graylog-sidecar start
  • Installer filebeat (original: https://www.elastic.co/guide/en/beats/filebeat/7.16/setup-repositories.html#_yum)
    • sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
  • Tilføj repo
    • sudo nano /etc/yum.repos.d/elastic.repo
    • Paste:
      • [elastic-7.x] name=Elastic repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
  • Installer
    • sudo yum install filebeat
    • sudo chkconfig --add filebeat

Giv ny sidecar’s IP adgang til at forbinde, i apache og amazon. (Find med wget -qO - https://icanhazip.com)

Tilføj en Collector i graylog (System > Sidecars > [node_name] > Manage sidecar)

  • Sæt hak ud for Filebeat
  • Klik på Configure oppe til højre
  • Sæt hak ud for den korrekte config
  • Gem.

Sæt alerts op

  • Filter search-query:
    • (message:/.*[A-Za-z0-9]Exception.*/ OR Severity:SEVERE) AND NOT message:"Context is read only" AND NOT message:"SEVERE: null" AND NOT msg:"<" AND NOT msg:/.*(protocol|target|name) \[.*/ AND NOT Thread:/http-nio-.*/ AND NOT msg:/Failed to start connector.*/ AND NOT msg:/Invalid Addresses/ AND NOT msg:/com.sun.mail.smtp.SMTPAddressFailedException: 450 4.7.1.*/
Retrieved from "https://wiki.tempusserva.dk/index.php?title=Graylog-sidecar_setup&oldid=6498"