eh

Try gelf 3.0.0
works
2026-01-11 22:03:15 +00:00 · 2020-03-03 13:53:20 -05:00 · 2020-03-03 12:25:05 -05:00 · 2020-03-02 18:18:55 -05:00 · 2020-03-02 16:10:08 -05:00 · 2020-03-02 14:22:58 -05:00
10 changed files with 253 additions and 325 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 .vagrant
-tmp
+pki
--- a/README.md
+++ b/README.md
@@ -1,21 +1,22 @@
 # Graylog Demo
-This is a demonstration of Graylog, a centralized log management system featuring a shell provisioned CentOS 7 Vagrant box. To illustrate various log collection methods `httpd`, `rsyslog` and `docker` are installed and a simple WordPress instance is deployed via Docker Compose. Log collection incorporates td-agent (a version of Fluentd) to ship logs into a Graylog instance from containers, the syslog, and arbitrary filesystem logs.
+This is a demonstration of Graylog, a centralized log management system featuring a shell provisioned CentOS 7 Vagrant box. To illustrate various log collection methods `httpd`, `rsyslog` and `docker` are installed and a simple WordPress instance is deployed via Docker Compose. Log collection incorporates Fluentd to ship logs into a Graylog instance from containers, the syslog, and arbitrary filesystem logs.
 This demonstration assumes you are familiar with using Vagrant + VirtualBox to automate the installation of virtual machines, although you can reference the Vagrantfile's shell provisioning sections to manually set up a system if you so desire. Please install these prerequisites before attempting the quick start below.
 #### Notes about setup
- This demonstration uses Traefik for some routing and the [xip.io](http://xip.io/) wildcard DNS service. If DNS fails to resolve for whatever reason you may want to set the domains to the IP inside your operating system's hosts file, e.g.
+- This demonstration uses Traefik for routing and the [xip.io](http://xip.io/) wildcard DNS service. If DNS fails to resolve for whatever reason you may want to set the domains to the IP inside your operating system's hosts file, e.g.
 ```
 172.28.128.30   traefik.172.28.128.30.xip.io
 172.28.128.30   graylog.172.28.128.30.xip.io
 172.28.128.30   wordpress.172.28.128.30.xip.io
 ```
- Vagrant will provision two virtual machines with two consecutive private Class B addresses (starting from `172.28.128.30`). If you would like to change this base IP address to something different you will need to look through the project and find various references. Unfortunately, this is not a simple variable you can set for the entire project.
+- Vagrant will provision a virtual machine with a static private Class B address (specifically `172.28.128.30`). If you would like to change this IP address to something different you will need to change the `PRIVATE_NET_IP` variable and the scripted API calls in the `Vagrantfile`. You'll also need to modify the few wildcard DNS references to it in the two `docker-compose.yml` files.
- Vagrant is set to allocate 4 cores and 4 GB of RAM per machine (this is 8 cores / 8 GB of memory total) you may need to adjust this for your machine if necessary.
+- Vagrant is set to allocate 4 cores and 4 GB of RAM, you may need to adjust this for your machine if necessary.
 - After deploying, Graylog takes the longest to become available and it may take 30 seconds to a few minutes to bring it up depending on your machine.
@@ -25,7 +26,7 @@ This demonstration assumes you are familiar with using Vagrant + VirtualBox to a
 ## Quick Start
-_This section assumes you will be using the default `172.28.128.30` and `172.28.128.31` IP addresses_
+_This section assumes you will be using the default `172.28.128.30` IP address_
 1. Clone the repository and navigate inside its directory
 2. Create and provision the VM using `vagrant up`
 3. Navigate to [http://graylog.172.28.128.30.xip.io:8080/](http://graylog.172.28.128.30.xip.io:8080/)
@@ -35,13 +36,13 @@ _This section assumes you will be using the default `172.28.128.30` and `172.28.
 7. Press the start button on the top right to start updating the feed every second
 #### Docker Test
- Generate Docker logs by simply navigating to the WordPress install page: [http://172.28.128.31:8080](http://172.28.128.31:8080/wp-admin/install.php)
+- Generate Docker logs by simply navigating to the WordPress install page [http://wordpress.172.28.128.30.xip.io:8080/](http://wordpress.172.28.128.30.xip.io:8080/)
 #### File Test
- Collect logs from Apache's `access_log` file by going to [http://172.28.128.31/](http://172.28.128.31/)
+- Collect logs from Apache's `access_log` file by going to [http://172.28.128.30/](http://172.28.128.30/)
 #### Syslog Test
-1. Go back to the terminal inside the project's directory and type `vagrant ssh systems` or `vagrant ssh graylog`
+1. Go back to the terminal inside the project's directory and type `vagrant ssh`
 2. You can test Syslog collection with `logger` e.g. `logger -t test Hello world` (or just wait for some to appear)
 ### Copyrights and Licenses
--- a/319
+++ b/319
@@ -1,178 +1,155 @@
 # vi: set ft=ruby :
-PRIVATE_NET_IP = "172.28.128."
+PRIVATE_NET_IP = "172.28.128.30"
 Vagrant.configure("2") do |config|
  config.vm.box = "centos/7"
  config.vm.network "private_network", ip: PRIVATE_NET_IP
  config.vm.synced_folder ".", "/vagrant", type: "nfs"
-  vmservers = ["graylog", "systems"]
+  config.vm.provider "virtualbox" do |vbox|
-  last_octet = 30
+    vbox.memory = 4096
-
+    vbox.cpus = 4
  vmservers.each do |server|
    config.vm.define "#{server}" do |node|
      node.vm.box = "centos/7"
      node.vm.hostname = "#{server}"
      node.vm.network "private_network", ip: PRIVATE_NET_IP + last_octet.to_s
      node.vm.synced_folder ".", "/vagrant", type: "nfs"
      last_octet = last_octet + 1
      node.vm.provider "virtualbox" do |vbox|
        vbox.memory = 4096
        vbox.cpus = 4
      end
      # Common provision
      node.vm.provision "shell", inline: <<-SHELL
        # Set SELinux to permissive
        setenforce 0
        sed -i "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/selinux/config
        # Import GPG keys
        rpm --import \
          /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 \
          https://download.docker.com/linux/centos/gpg \
          http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 \
          https://packages.treasuredata.com/GPG-KEY-td-agent
        # Install Docker Community Edition
        yum-config-manager --add-repo \
            https://download.docker.com/linux/centos/docker-ce.repo
        yum install -y docker-ce docker-ce-cli containerd.io
        systemctl start docker
        systemctl -q enable docker
        usermod -aG docker vagrant
        # Convenience
        yum install -y vim
        # Install rsyslog
        yum install -y rsyslog
        systemctl start rsyslog
        systemctl -q enable rsyslog
        # Add rsyslog forwarding option if it does not exist
        if ! grep -q "127.0.0.1:5140" /etc/rsyslog.conf; then
          echo "*.* @127.0.0.1:5140" >> /etc/rsyslog.conf
          systemctl restart rsyslog
        fi
        # Setup TLS
        if [ ! -f /vagrant/tmp/ca_key.pem ]; then
          echo "Generating TLS certificates..."
          cd /vagrant/tmp
          openssl req -newkey rsa:4096 \
                      -x509 \
                      -sha256 \
                      -days 3650 \
                      -nodes \
                      -out ca_cert.pem \
                      -keyout ca_key.pem \
                      -subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \
                      2> /dev/null
        fi
        # Install td-agent
        cp /vagrant/td-agent.repo /etc/yum.repos.d/
        yum check-update
        yum install -y td-agent
        td-agent-gem install fluent-plugin-gelf-hs gelf
        systemctl -q enable td-agent
      SHELL
      # Commmon provision: install docker-compose
      node.vm.provision "shell", path: "install-compose.sh"
      # Graylog specific provision
      if server == "graylog"
        node.vm.provision "shell", inline: <<-SHELL
          cp /vagrant/td-agent-server.conf /etc/td-agent/td-agent.conf
          mkdir -p /var/log/graylog_buffer
          chown -R td-agent:td-agent /var/log/graylog_buffer
          systemctl restart td-agent
          # Install jq
          yum install -y epel-release
          yum install -y jq
          # Start Graylog
          cd /vagrant
          /usr/local/bin/docker-compose up -d 2> /dev/null
          # Wait 120 seconds for Graylog to come online
          SECONDS=0
          while true
          do
            GRAYLOG_STATE=$(
              docker inspect vagrant_graylog_1 \
                | jq --raw-output '.[] | .State.Health.Status')
            if [[ "$GRAYLOG_STATE" == "healthy" ]]; then
              echo "Graylog is available."
              sleep 5
              break
            elif [[ "$GRAYLOG_STATE" != "starting" ]]; then
              echo "Something is wrong with Graylog. Aborting."
              exit 1
            elif [[ $SECONDS -le 120 ]]; then
              echo "Waiting for Graylog ($SECONDS/120 seconds)"
              sleep 10
            else
              echo "Waiting on Graylog timed out. Aborting."
              exit 1
            fi
          done
          # Check for existing GELF TCP Input
          INPUTSTATE=$(
            curl -s -X GET \
                -H "Content-Type: application/json" \
                -H "X-Requested-By: cli" \
                -u admin:admin \
                "http://graylog.172.28.128.30.xip.io:8080/api/system/inputstates")
          INPUT_TYPES=$(echo $INPUTSTATE | jq --raw-output '.states | .[] | .message_input.type')
          for TYPE in $INPUT_TYPES; do
            if [[ "$TYPE" == "org.graylog2.inputs.gelf.tcp.GELFTCPInput" ]]; then
              echo "Found GELF TCP input in Graylog, aborting input installation."
              exit
            fi
          done
          # Install GELF TCP Input
          curl -i -s -X POST \
              -H "Content-Type: application/json" \
              -H "X-Requested-By: cli" \
              -u admin:admin \
              "http://graylog.172.28.128.30.xip.io:8080/api/system/inputs" \
              -d @GELFTCPInput.json
        SHELL
      elsif server == "systems"
        node.vm.provision "shell", inline: <<-SHELL
          # Install apache
          yum install -y httpd
          systemctl start httpd
          systemctl -q enable httpd
          # Configure td-agent
          cp /vagrant/td-agent.conf /etc/td-agent/td-agent.conf
          mkdir -p /var/log/containers /var/log/fluentd_buffer
          chown -R td-agent:td-agent /var/log/containers /var/log/fluentd_buffer
          chmod -R 755 /var/log
          systemctl restart td-agent
          # Bring up WordPress test containers
          cd /vagrant/wordpress
          /usr/local/bin/docker-compose up -d 2> /dev/null
        SHELL
      end
    end
  end
  config.vm.provision "shell", inline: <<-SHELL
    # Set SELinux to permissive
    setenforce 0
    sed -i "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/selinux/config
    # Import GPG keys
    curl -s https://download.docker.com/linux/centos/gpg -o docker-key
    rpm --import docker-key \
      /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 \
      http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
    # Install Docker Community Edition
    yum-config-manager --add-repo \
        https://download.docker.com/linux/centos/docker-ce.repo
    yum install -y docker-ce docker-ce-cli containerd.io
    systemctl start docker
    systemctl -q enable docker
    usermod -aG docker vagrant
    # Convenience
    yum install -y vim
    # Install jq
    yum install -y epel-release
    yum install -y jq
    # Install apache
    yum install -y httpd
    systemctl start httpd
    systemctl -q enable httpd
    # Install rsyslog
    yum install -y rsyslog
    systemctl start rsyslog
    systemctl -q enable rsyslog
    # Add rsyslog forwarding option if it does not exist
    if ! grep -q "127.0.0.1:5140" /etc/rsyslog.conf; then
      echo "*.* @127.0.0.1:5140" >> /etc/rsyslog.conf
      systemctl restart rsyslog
    fi
  SHELL
  # Install newest docker-compose
  config.vm.provision "shell", path: "install-compose.sh"
  # Start compose services and add default input
  config.vm.provision "shell", inline: <<-SHELL
    # Remove old keys and create directories
    mkdir -p /vagrant/pki
    rm -r /vagrant/pki/*
    mkdir -p /vagrant/pki/{fluentd,graylog}
    # Generate and install TLS keys
    cd /vagrant/pki
    # Generate Graylog's CA
    openssl genrsa -out rootCA.key 4096 2> /dev/null
    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 \
        -out rootCA.crt -subj "/C=US/ST=GA/O=MyOrg/CN=localhost" 2> /dev/null
    # Generate Fluentd's keys
    openssl genrsa -out fluentd.key 4096 2> /dev/null
    openssl req -new -sha256 -key fluentd.key \
        -subj "/C=US/ST=GA/O=MyOrg/CN=localhost" -out fluentd.csr 2> /dev/null
    # Sign Fluentd's certificate
    openssl x509 -req -in fluentd.csr -CA rootCA.crt -CAkey rootCA.key \
        -CAcreateserial -out fluentd-signed.crt -days 500 -sha256 2> /dev/null
    mv fluentd*.* fluentd/
    mv root*.* graylog/
    # Bring up containers
    cd /vagrant
    /usr/local/bin/docker-compose up -d 2> /dev/null
    cd /vagrant/wordpress
    /usr/local/bin/docker-compose up -d 2> /dev/null
    cd /vagrant
    # Wait 120 seconds for Graylog to come online
    INSTALL_INPUT=0
    SECONDS=0
    while true
    do
      GRAYLOG_STATE=$(
        docker inspect vagrant_graylog_1 \
          | jq --raw-output '.[] | .State.Health.Status')
      if [[ "$GRAYLOG_STATE" == "healthy" ]]; then
        echo "Graylog is available."
        INSTALL_INPUT=1
        sleep 5
        break
      elif [[ "$GRAYLOG_STATE" != "starting" ]]; then
        echo "Something is wrong with Graylog. Aborting."
        break
      elif [[ $SECONDS -le 120 ]]; then
        echo "Waiting for Graylog ($SECONDS/120 seconds)"
        sleep 10
      else
        echo "Waiting on Graylog timed out. Aborting."
        break
      fi
    done
    # Check for existing GELF TCP Input
    INPUTSTATE=$(
      curl -s -X GET \
          -H "Content-Type: application/json" \
          -H "X-Requested-By: cli" \
          -u admin:admin \
          "http://graylog.172.28.128.30.xip.io:8080/api/system/inputstates")
    INPUT_TYPES=$(echo $INPUTSTATE | jq --raw-output '.states | .[] | .message_input.type')
    for TYPE in $INPUT_TYPES; do
      if [[ "$TYPE" == "org.graylog2.inputs.gelf.tcp.GELFTCPInput" ]]; then
        echo "Found GELF TCP input in Graylog, aborting input installation."
        INPUT_INSTALL=1
        break
      fi
    done
    # Install GELF TCP Input
    if [[ $INSTALL_INPUT -eq 1 ]]; then
      echo "Installing GELF TCP input"
      curl -i -s -X POST \
          -H "Content-Type: application/json" \
          -H "X-Requested-By: cli" \
          -u admin:admin \
          "http://graylog.172.28.128.30.xip.io:8080/api/system/inputs" \
          -d @GELFTCPInput.json
    fi
  SHELL
 end
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ version: '3.7'
 services:
  traefik:
-    image: traefik:2.2.1
+    image: traefik:2.1.4
    restart: always
    networks:
      - traefik-net
@@ -24,27 +24,28 @@ services:
      - "traefik.enable=true"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
-    logging:
+
-      driver: "fluentd"
+  fluentd:
-      options:
+    build: ./fluentd
-       fluentd-address: "tcp://127.0.0.1:24224"
+    restart: always
-       fluentd-async-connect: "true"
+    volumes:
-       tag: traefik
+      - /var/log:/var/log/hostlogs
      - /vagrant/pki/fluentd:/fluentd/etc/pki
    networks:
      - graylog
    ports:
      - 24224:24224
      - 24224:24224/udp
      - 5140:5140/udp
  mongo:
-    image: mongo:4.2.8
+    image: mongo:4.2.2
    restart: always
    networks:
      - graylog
    logging:
      driver: "fluentd"
      options:
       fluentd-address: "tcp://127.0.0.1:24224"
       fluentd-async-connect: "true"
       tag: graylog.db
  elasticsearch:
-    image: elasticsearch:6.8.10
+    image: elasticsearch:6.8.6
    restart: always
    environment:
      - http:host=0.0.0.0
@@ -57,15 +58,9 @@ services:
        hard: -1
    networks:
      - graylog
    logging:
      driver: "fluentd"
      options:
       fluentd-address: "tcp://127.0.0.1:24224"
       fluentd-async-connect: "true"
       tag: graylog.elasticsearch
  graylog:
-    image: graylog/graylog:3.3.2
+    image: graylog/graylog:3.2.2
    restart: always
    environment:
      - GRAYLOG_PASSWORD_SECRET=LongerPassword01
@@ -94,12 +89,8 @@ services:
      - 12201:12201
      # GELF UDP
      - 12201:12201/udp
-    logging:
+    volumes:
-      driver: "fluentd"
+      - /vagrant/pki/graylog:/usr/share/graylog/pki
      options:
       fluentd-address: "tcp://127.0.0.1:24224"
       fluentd-async-connect: "true"
       tag: graylog
 networks:
  traefik-net:
--- a/fluentd/Dockerfile
+++ b/fluentd/Dockerfile
@@ -0,0 +1,10 @@
 FROM fluent/fluentd:v1.9.0-debian-1.0
 USER root
 RUN apt-get update \
 && apt-get -y install --no-install-recommends wget \
 && rm -rf /var/lib/apt/lists/*
 RUN gem uninstall gelf -v 3.1.0
 RUN gem install gelf -v 3.0.0
 RUN gem install fluent-plugin-rewrite-tag-filter
 RUN gem install fluent-plugin-gelf-hs
 COPY fluent.conf /fluentd/etc/
--- a/fluentd/fluent.conf
+++ b/fluentd/fluent.conf
@@ -0,0 +1,52 @@
 <source>
  @type forward
  port 24224
 </source>
 <source>
  @type syslog
  port 5140
  tag system
 </source>
 <source>
  @type tail
  path /var/log/hostlogs/httpd/access_log
  pos_file /var/log/hostlogs/httpd/access_log.pos
  tag httpd.access
  <parse>
    @type apache2
  </parse>
 </source>
 <match devel.*>
  @type copy
  <store>
    @type file
    path /var/log/hostlogs/containers/${tag}
    append true
    <buffer tag>
      timekey 5s
      flush_mode immediate
    </buffer>
  </store>
  <store>
    @type rewrite_tag_filter
    <rule>
      key container_name
      pattern /\/(.+)/
      tag ${tag}.$1
    </rule>
  </store>
 </match>
 <match **>
  @type gelf
  host vagrant_graylog_1
  port 12201
  protocol tcp
  tls true
  tls_options {"cert":"/fluentd/etc/pki/fluentd-signed.crt",
               "key":"/fluentd/etc/pki/fluentd.key"}
  flush_interval 5s
 </match>
--- a/td-agent-server.conf
+++ b/td-agent-server.conf
@@ -1,42 +0,0 @@
 <source>
  @type forward
  port 2514
  <transport tls>
    version TLSv1_2
    insecure true
    cert_path /vagrant/tmp/ca_cert.pem
    private_key_path /vagrant/tmp/ca_key.pem
  </transport>
 </source>
 <source>
  @type forward
  port 24224
 </source>
 <source>
  @type syslog
  port 5140
  tag system.local
 </source>
 <filter httpd.access>
  @type parser
  key_name message
  reserve_data true
  <parse>
    @type apache2
  </parse>
 </filter>
 <match **>
  @type gelf
  protocol tcp
  host localhost
  port 12201
  <buffer>
    @type file
    path /var/log/graylog_buffer
    flush_interval 0s
  </buffer>
 </match>
--- a/td-agent.conf
+++ b/td-agent.conf
@@ -1,62 +0,0 @@
 <source>
  @type forward
  port 24224
 </source>
 <source>
  @type syslog
  port 5140
  tag system
 </source>
 <source>
  @type tail
  path /var/log/httpd/access_log
  pos_file /var/log/td-agent/access_log.pos
  tag httpd.access
  <parse>
    @type none
  </parse>
 </source>
 <match devel.*>
  @type copy
  <store>
    @type file
    path /var/log/containers/${tag}
    append true
    <buffer tag>
      @type file
      path /var/log/containers/buffer
      flush_interval 0s
    </buffer>
    <format>
      @type single_value
      message_key log
    </format>
  </store>
  <store>
    @type rewrite_tag_filter
    <rule>
      key container_name
      pattern /\/(.+)/
      tag ${tag}.$1
    </rule>
  </store>
 </match>
 <match **>
  @type forward
  transport tls
  tls_cert_path /vagrant/tmp/ca_cert.pem
  <server>
    name example.com
    host 172.28.128.30
    port 2514
  </server>
  <buffer>
    @type file
    path /var/log/fluentd_buffer
    flush_interval 0s
  </buffer>
 </match>
--- a/td-agent.repo
+++ b/td-agent.repo
@@ -1,5 +0,0 @@
 [treasuredata]
 name=TreasureData
 baseurl=http://packages.treasuredata.com/3/redhat/$releasever/$basearch
 gpgcheck=1
 gpgkey=https://packages.treasuredata.com/GPG-KEY-td-agent
--- a/wordpress/docker-compose.yml
+++ b/wordpress/docker-compose.yml
@@ -11,25 +11,26 @@ services:
      MYSQL_USER: wordpress
      MYSQL_PASSWORD: Password1
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
-    logging:
+    networks:
-      driver: "fluentd"
+      - default
      options:
       fluentd-address: "tcp://127.0.0.1:24224"
       fluentd-async-connect: "true"
       tag: devel.kris.db
  wordpress:
    depends_on:
      - db
    image: wordpress:latest
    restart: always
    ports:
      - 8080:80
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: Password1
      WORDPRESS_DB_NAME: wordpress
    networks:
      - default
      - traefik-net
    labels:
      - "traefik.http.routers.wordpress.rule=Host(`wordpress.172.28.128.30.xip.io`)"
      - "traefik.docker.network=vagrant_traefik-net"
      - "traefik.enable=true"
    logging:
      driver: "fluentd"
      options:
@@ -37,5 +38,10 @@ services:
       fluentd-async-connect: "true"
       tag: devel.kris
 networks:
  traefik-net:
    external:
      name: vagrant_traefik-net
 volumes:
  db_data: {}
Author	SHA1	Message	Date
Kris Lamoureux	8543cb16d2	eh	2020-03-03 13:53:20 -05:00
Kris Lamoureux	2514ce237a	Try gelf 3.0.0	2020-03-03 12:25:05 -05:00
Kris Lamoureux	5f71014caa	works	2020-03-02 18:18:55 -05:00
Kris Lamoureux	724704c888	Not working. Errors	2020-03-02 16:10:08 -05:00
Kris Lamoureux	ec3eaebf35	Create and sign TLS certs	2020-03-02 14:22:58 -05:00