我配置的Graylog是4版本的，因为更高级的版本没有针对centos

CentOS installationhttps://go2docs.graylog.org/4-x/downloading_and_installing_graylog/centos_installation.html        官方文档挺详细，但有的地方可能会出问题

1. 安装MongoDB

Install MongoDB Community Edition on Red Hat or CentOS — MongoDB Manualhttps://www.mongodb.com/docs/v4.4/tutorial/install-mongodb-on-red-hat/#install-mongodb-community-edition

• 兜兜转转发现很多东西还是官网的文档写的好

 1.1 创建一个yum配置文件

vi /etc/yum.repos.d/mongodb-org-4.4.repo

        添加内容

[mongodb-org-4.4]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/4.4/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc

1.2 安装MongoDB

 sudo yum install -y mongodb-org

1.31 解决SELinux组织MongoDB访问的问题

1.3.1 安装checkpolicy

sudo yum install checkpolicy

1.3.1 配置mongodb_cgroup_memory策略

cat > mongodb_cgroup_memory.te <<EOF
module mongodb_cgroup_memory 1.0;

require {
      type cgroup_t;
      type mongod_t;
      class dir search;
      class file { getattr open read };
}

#============= mongod_t ==============
allow mongod_t cgroup_t:dir search;
allow mongod_t cgroup_t:file { getattr open read };
EOF

 1.3.2 运行mongodb_cgroup_memory策略

checkmodule -M -m -o mongodb_cgroup_memory.mod mongodb_cgroup_memory.te
semodule_package -o mongodb_cgroup_memory.pp -m mongodb_cgroup_memory.mod
sudo semodule -i mongodb_cgroup_memory.pp

1.3.3 配置mongodb_proc_net策略

cat > mongodb_proc_net.te <<EOF
module mongodb_proc_net 1.0;

require {
    type cgroup_t;
    type configfs_t;
    type file_type;
    type mongod_t;
    type proc_net_t;
    type sysctl_fs_t;
    type var_lib_nfs_t;

    class dir { search getattr };
    class file { getattr open read };
}

#============= mongod_t ==============
allow mongod_t cgroup_t:dir { search getattr } ;
allow mongod_t cgroup_t:file { getattr open read };
allow mongod_t configfs_t:dir getattr;
allow mongod_t file_type:dir { getattr search };
allow mongod_t file_type:file getattr;
allow mongod_t proc_net_t:file { open read };
allow mongod_t sysctl_fs_t:dir search;
allow mongod_t var_lib_nfs_t:dir search;
EOF

1.3.4 运行mongodb_proc_net策略

checkmodule -M -m -o mongodb_proc_net.mod mongodb_proc_net.te
semodule_package -o mongodb_proc_net.pp -m mongodb_proc_net.mod
sudo semodule -i mongodb_proc_net.pp

1.4 运行MongoDB

#运行MongoDB

sudo systemctl start mongod

#查看MongoDB状态

sudo systemctl status mongod

2. 安装Elasticsearch

2.1 安装Elastic GPG密钥

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

touch /etc/yum.repos.d/elasticsearch.repo

2.2 创建一个yum配置文件

vi /etc/yum.repos.d/elasticsearch.repo

        添加内容，graylog官方文档说是es不能超过7.10的版本

[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

 2.3 安装ES

sudo yum install elasticsearch-oss

2.4 修改配置文件

vim /etc/elasticsearch/elasticsearch.yml

cluster.name: graylog
#最后一行新增
action.auto_create_index: false 

2.5 启动ES 

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
sudo systemctl --type=service --state=active | grep elasticsearch

2.6 修改es的jvm内存配置

vim /etc/elasticsearch/jvm.options

        感觉连接多个项目，2g应该够用 

初始化内存
-Xms2g
最小内存
-Xmx2g 

3. 安装Graylog

sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.0-repository_latest.rpm

 sudo yum install graylog-server

3.1 安装epel

yum install epel-release

3.2 安装pwgen

yum install pwgen

3.3 生成password_secret密码

pwgen -N 1 -s 96

3.4 生成root_password_sha2密码

echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

 3.5 修改配置文件

Overviewhttps://go2docs.graylog.org/4-x/setting_up_graylog/web_interface.htm

vim /etc/graylog/server/server.conf

password_secret = xxxxx
Web登录时所需要使用的密码
root_password_sha2 = xxxx 
 
时区
root_timezone = Asia/Shanghai
ip地址，固定这样设置
http_bind_address = 0.0.0.0:9000
 
# 配置外网地址，就是能让其他电脑访问的地址
http_publish_uri = http://graylog.example.com/
 
配的单节点es，分片设置为 1
elasticsearch_shards = 1
elasticsearch_replicas = 0
查询结果高亮
allow_highlighting = true
 
邮件预警配置，hostname是邮件官方的服务器地址，搜一下就能找到
transport_email_enabled = true
transport_email_hostname = smtp.exmail.qq.com
transport_email_port = 465
transport_email_use_auth = true
transport_email_auth_username = your_email.com
transport_email_auth_password = your_password
transport_email_subject_prefix = [graylog]
transport_email_from_email = your_email.com
transport_email_use_tls = false
transport_email_use_ssl = true

3.6 启动Graylog 

sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
sudo systemctl --type=service --state=active | grep graylog

        查看graylog日志

tail -50f  /var/log/graylog-server/server.log

        查看系统日志 

tail -50f /var/log/messages

        查看graylog状态

sudo systemctl status graylog-server.service