Otu esi etinye Ngwá Ọrụ Njikwa Greylog na RHEL Systems
Graylog bụ usoro njikwa ndekọ ihe mepere emepe nke na-eduga maka ịnakọta, chekwaa, ndenye aha na nyocha data ozugbo sitere na ngwa yana ọtụtụ ngwaọrụ dị na akụrụngwa IT dị ka sava, ndị na-anya ụgbọ elu, na firewalls.
Graylog na-enyere gị aka inweta nghọta karịa na data anakọtara site na ijikọta ọtụtụ ọchụchọ maka nyocha na mkpesa zuru ezu. Ọ na-achọpụtakwa ihe egwu na omume ọjọọ nwere ike ime site n'ime nyocha miri emi nke ndekọ sitere na isi mmalite.
Graylog nwere ihe ndị a:
- Sava Graylog – Nke a bụ isi ihe nkesa na-eji maka nhazi ndekọ.
- Mbasaịtị webụ Graylog – Nke a bụ ngwa ihe nchọgharị na-enye nleba anya na data na ndekọ anakọtara site n'ọtụtụ njedebe.
- MongoDB – Ihe nkesa nchekwa data NoSQL maka ịchekwa data nhazi.
- ElasticSearch – Nke a bụ ihe nchọta n'efu na mepere emepe yana igwe nyocha nke na-enyocha ma depụta data sitere na isi mmalite dị iche iche.
Ihe owuwu Graylog na-anabata ụdị data ahaziri ahazi gụnyere okporo ụzọ netwọkụ na ndekọ sitere na ndị a:
- Syslog (TCP, UDP, AMQP, Kafka).
- AWS – ndekọ AWS, CloudTrail, & FlowLogs.
- Netflow (UDP).
- GELF (TCP, UDP, AMQP, Kafka).
- ELK - Beats, na Logstash.
- Ụzọ JSON sitere na HTTP API.
Ụfọdụ n'ime nnukwu ụlọ ọrụ teknụzụ na-emejuputa Graylog na nchịkọta teknụzụ ha gụnyere Fiverr, CircleCI, CraftBase, na BitPanda.
N'ime ntuziaka a, anyị ga-egosi gị otu esi etinye ihe njikwa log Graylog na RHEL 8 na distros dabere na RHEL dị ka AlmaLinux, CentOS Stream, na Rocky Linux.
Kwụpụ 1: Wụnye EPEL Repo na ngwugwu achọrọ
Iji bido, ịchọrọ ụfọdụ ngwungwu dị mkpa nke ga-enyere gị aka ka ị na-aga na ntuziaka a. Nke mbụ, wụnye ebe nchekwa EPEL nke na-enye ngwugwu ngwanrọ bara ụba maka nkesa RHEL & RHEL.
$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
Na-esote, wụnye ngwugwu ndị a nke a ga-achọ n'ụzọ.
$ sudo dnf install -y pwgen wget curl perl-Digest-SHA
Kwụpụ 2: Wụnye Java (OpenJDK) na RHEL
Otu n'ime ihe achọrọ maka ịwụnye Graylog bụ Java 8 na nsụgharị ọzọ. N'ebe a, anyị ga-etinye ntọhapụ LTS ọhụrụ nke Java nke bụ Java 11 nke OpenJDK 11 ga-enye.
Ya mere, gbaa iwu a ka ịwụnye OpenJDK.
$ sudo dnf install java-11-openjdk java-11-openjdk-devel -y
Nke a na-etinye ndabere Java na ọtụtụ ndabere ndị ọzọ.
Ozugbo echichi mechara, nyochaa ụdị arụnyere.
$ java -version
Kwụpụ 3: Wụnye Elasticsearch na RHEL
Elasticsearch bụ nchọta isi mmalite mepere emepe yana injin nyocha nke na-ejikwa ụdị data dị iche iche gụnyere ahaziri ahazi, enweghị nhazi, ọnụọgụ, geospatial, na data ederede.
Ọ bụ akụkụ bụ isi nke nchịkọta Elastic, nke a makwaara dị ka ELK (Elasticsearch, Logstash, na Kibana), a na-ejikwa ya maka API REST dị mfe, scalability na ọsọ.
Graylog chọrọ Elasticsearch 6.x ma ọ bụ 7.x. Anyị ga-etinye Elasticsearch 7.x nke bụ mwepụta kachasị ọhụrụ n'oge ebipụtara ntuziaka a.
Mepụta faịlụ nchekwa Elasticsearch.
$ sudo vim /etc/yum.repos.d/elasticsearch.repo
Ọzọ, mado ahịrị koodu ndị a na faịlụ ahụ.
[elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/oss-7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
Chekwaa mgbanwe wee pụọ.
Na-esote, wụnye Elasticsearch site na iji njikwa ngwugwu DNF dịka egosiri.
$ sudo dnf install elasticsearch-oss
Ka Elasticsearch rụọ ọrụ na Graylog, a chọrọ mgbanwe ole na ole. Ya mere mepee faịlụ elasticsearch.yml.
$ sudo vim /etc/elasticsearch/elasticsearch.yml
Melite aha ụyọkọ na Graylog ka egosiri.
cluster.name: graylog
Chekwaa mgbanwe wee pụọ.
Mgbe ahụ bugharịa nhazi njikwa sistemu.
$ sudo systemctl daemon-reload
Na-esote, mee ma malite ọrụ Elasticsearch site na ịme iwu ndị a.
$ sudo systemctl enable elasticsearch.service $ sudo systemctl start elasticsearch.service
Elasticsearch na-ege ntị na ọdụ ụgbọ mmiri 9200 na ndabara iji hazie arịrịọ HTTP. Ị nwere ike kwado nke a site na izipu arịrịọ CURL dịka egosiri.
$ curl -X GET http://localhost:9200
Kwụpụ 4: Wụnye MongoDB na RHEL
Graylog na-eji ihe nkesa nchekwa data MongoDB iji chekwaa data nhazi.
Anyị ga-etinye MongoDB 4.4, mana nke mbụ, mepụta faịlụ nhazi maka MongoDB.
$ sudo vim /etc/yum.repos.d/mongodb-org-4.repo
Mgbe ahụ mado nhazi ndị a.
[mongodb-org-4] name=MongoDB Repository baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/4.4/x86_64/ gpgcheck=1 enabled=1 gpgkey=https://www.mongodb.org/static/pgp/server-4.4.asc
Chekwaa mgbanwe wee pụọ.
Ọzọ, wụnye MongoDB dị ka ndị a.
$ sudo dnf install mongodb-org
Ozugbo arụnyere, malite ma mee ka MongoDB malite na mmalite sistemụ.
$ sudo systemctl start mongod $ sudo systemctl enable mongod
Ka ịlele ụdị MongoDB, gbaa iwu:
$ mongo --version
Kwụpụ 5: Wụnye Greylog Server na RHEL
Site na arụnyere ihe niile achọrọ, wụnye Graylog ugbu a site na ịme iwu ndị a.
$ sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-4.2-repository_latest.rpm $ sudo dnf install graylog-server
Ị nwere ike nyochaa ntinye nke Graylog dị ka egosiri:
$ rpm -qi graylog-server
Ugbu a, malite ma mee ka ihe nkesa Graylog malite na oge buut.
$ sudo systemctl start graylog-server.service $ sudo systemctl enable graylog-server.service
Kwụpụ 6: Hazie sava Greylog na RHEL
Ka Graylog rụọ ọrụ dị ka a tụrụ anya ya, achọrọ ụfọdụ usoro mgbakwunye. Ịkwesịrị ịkọwapụta paramita ndị a na faịlụ nhazi:
root_password_sha2 password_secret root_username http_bind_address
Anyị ga-akọwapụta mgbanwe ndị a na faịlụ /etc/graylog/server/server.conf nke bụ faịlụ nhazi nke ndabara.
Root_password_sha2 bụ paswọọdụ hash maka onye ọrụ mgbọrọgwụ. Iji mepụta ya gbasoro iwu a. [email echedoro] bụ naanị ebe nchekwa. Enwere onwe gị izipụta paswọọdụ nke gị.
$ echo -n [email | shasum -a 256
Mpụta
68e865af8ddbeffc494508bb6181167fccf0bb7c0cab421c54ef3067bdd8d85d
Deba aha paswọọdụ a wee chekwaa ya ebe.
Na-esote, mepụta paswọọdụ_secret dị ka ndị a:
$ pwgen -N 1 -s 96
Mpụta
T1EtSsecY0QE4jIG3t6e96A5qLU5WhS9p5SliveX9kybWjC3WKhN4246oqGYPe4BTLXaaiOcM7LyuSd9bGAonQxkTsTjuqBf
Ọzọ, rịba ama okwuntughe a hashed.
Ọzọ, mepee faịlụ nhazi Graylog.
$ sudo vim /etc/graylog/server/server.conf
Tapawa ụkpụrụ ị mepụtara maka root_password_sha2 na paswọọdụ_secret dị ka egosiri.
root_username = admin root_password_sha2 = 68e865af8ddbeffc494508bb6181167fccf0bb7c0cab421c54ef3067bdd8d85d password_secret = T1EtSsecY0QE4jIG3t6e96A5qLU5WhS9p5SliveX9kybWjC3WKhN4246oqGYPe4BTLXaaiOcM7LyuSd9bGAonQxkTsTjuqBf
Na mgbakwunye, mee ka ndị ọrụ mpụga nweta Graylog site na ịtọ ntọala http_bind_address dị ka ndị a.
http_bind_address = 0.0.0.0:9000
Ọzọkwa, hazie mpaghara oge maka ihe nkesa Graylog.
root_timezone = UTC
Chekwaa wee pụọ na faịlụ nhazi.
Ka itinye mgbanwe ndị a, malitegharịa ihe nkesa Graylog.
$ sudo systemctl restart graylog-server.service
Ị nwere ike kwado site na faịlụ ndekọ wee lelee ma Graylog na-agba ọsọ dịka a tụrụ anya ya.
$ tail -f /var/log/graylog-server/server.log
Nsonaazụ na-esote na ahịrị ikpeazụ na-egosi na ihe niile dị mma.
Graylog na-ege ntị na ọdụ ụgbọ mmiri 9000 nke na-enye ohere na interface weebụ. Yabụ, mepee ọdụ ụgbọ mmiri a na firewall.
$ sudo firewall-cmd --add-port=9000/tcp --permanent $ sudo firewall-cmd --reload
Kwụpụ 7: Nweta UI Weebụ Graylog
Iji nweta Graylog, chọgharịa URL ndị a.
http://server-ip:9000 OR http://domain-name:9000
Banye na njikwa aha njirimara gị yana paswọọdụ ahaziri maka root_password_sha2 na faịlụ server.conf.
Ozugbo ịbanye, ị ga-ahụ dashboard na-esonụ.
Site ebe a, ị nwere ike ịga n'ihu na nyocha data na ndekọ anakọtara site na isi mmalite data dị iche iche.
Graylog na-aga n'ihu na-abụ ngwọta njikwa ndekọ aha etiti ama ama maka ndị mmepe na ndị otu na-arụ ọrụ. Nyocha nke data anakọtara na-enye nghọta miri emi banyere ọnọdụ ọrụ nke ngwa na ngwaọrụ dị iche iche ma na-enyere aka ịchọta njehie na ịkwalite ọrụ IT.
Nke ahụ bụ ihe niile maka ntuziaka a. N'ime nkuzi a, anyị egosila otu esi etinye Graylog Server na nkesa Linux dabere na RHEL.