Tested On
OS: CentOS 6.3 x86_64
Graylog2-Server Version: 0.11.0
Graylog2-web-interface: 0.11.0
Graylog2-Radio: 0.10.0
Hardware: Virtual Box 4.2.8
About
Graylog2-Radio is an add-on for Graylog2-Server that help you send your logs to an AMQP topic exchange.
With Graylog2-Radio you can avoid problems such as full buffers and rejected messages and also you can stop your graylog2-server without losing any message because they are getting written to an AMQP server.
What graylog2-radio does is listen to a tcp/udp port for syslog or gelf messages and publish them in an AMQP exchange, then graylog2-server can be configured to consume these messages and store them in elasticsearch.
In this guide I will show how to install graylog2 radio, rabbitmq and configure your graylog2-server to consume messages from rabbitmq.
I am going to use one server for all roles but it’s recommended to use different servers.
Prerequisite
- Ready to use graylog2-server. You can use the this Graylog2 Installation guide
Install Graylog2-Radio
- Install RabbitMQ server using the following guide: RabbitMQ Installation
- Download and extract graylog2-radio
mkdir /usr/local/src/graylog2 cd /usr/local/src/graylog2 wget https://download.graylog2.org/graylog2-radio/graylog2-radio-1.0.0.tar.gz -O graylog2-radio.tar.gz tar zxf graylog2-radio.tar.gz rm -f graylog2-radio.tar.gz mv graylog2-radio-* /opt/graylog2-radio cd /opt/graylog2-radio
- Create configuration files for graylog2-radio
cp graylog2-radio.conf.example /etc/graylog2-radio.conf cp graylog2-radio-inputs.conf.example /etc/graylog2-radio-inputs.conf
- Check that AMQP configuration is suitable to your RabbitMQ server
vi /etc/graylog2-radio.conf
- Configure graylog2-radio-inputs file to listen to gelf and syslog messages
vi /etc/graylog2-radio-inputs.conf
udp gelflogs 0.0.0.0 12501 udp systemlogs 0.0.0.0 12502
- Create graylog2-radio start script
vi /etc/init.d/graylog2-radio
#!/bin/bash # # graylog2-radio: graylog2 AMQP producer # # chkconfig: - 98 02 # description: This daemon start graylog2-radio # # Source function library. . /etc/rc.d/init.d/functions CMD=$1 NOHUP=`which nohup` STOP_TIMEOUT=30 BINARY=java PROG=graylog2-radio HOME_DIR=/opt/graylog2-radio LOG_FILE=${HOME_DIR}/log/${PROG}.log JAR_FILE=graylog2-radio.jar CONF_FILE=/etc/graylog2-radio.conf PID_FILE=/var/run/graylog2-radio.pid start() { graylog2_status > /dev/null 2>&1 if [ ${RETVAL} -eq 3 ] then echo "Starting ${PROG} ..." cd ${HOME_DIR} $NOHUP > /dev/null 2>&1 ${BINARY} -jar ${JAR_FILE} -f ${CONF_FILE} -p ${PID_FILE} >> ${LOG_FILE} & RETVAL=0 else echo "${PROG} is already running" fi } stop() { echo -n $"Stopping $PROG: " killproc -p ${PID_FILE} -d ${STOP_TIMEOUT} ${PROG} RETVAL=$? echo [ $RETVAL = 0 ] && rm -f ${PID_FILE} } graylog2_status() { status -p ${PID_FILE} ${PROG} RETVAL=$? } restart() { echo "Restarting ${PROG} ..." stop start } case "$CMD" in start) start ;; stop) stop ;; restart) restart ;; status) graylog2_status ;; *) echo "Usage $0 {start|stop|restart|status}" RETVAL=1 esac exit ${RETVAL}
- Configure graylog2-radio to start at boot and start it
chmod +x /etc/init.d/graylog2-radio chkconfig --add graylog2-radio chkconfig graylog2-radio on service graylog2-radio start
- Configure RabbitMQ credentials in your graylog2 server
vi /etc/graylog2.conf
... # AMQP amqp_enabled = true amqp_host = localhost amqp_port = 5672 amqp_username = guest amqp_password = guest amqp_virtualhost = / ...
- Restart graylog2-server to apply new AMQP configuration
service graylog2-server restart
- Browse to your graylog2 web interface and configure on which exchange your graylog2 server should listen for which messages type:
- In graylog2 web interface go to Setting -> AMQP
- Add new AMQP configuration for gelf messages: Exchange=messages, Routing Key=gelflogs, Type=GELF
- Add another AMQP configuration for syslog messages: Exchange=messages, Routing Key=systemlogs, Type=syslog
That’s all. Now you need to configure your servers to send logs to graylog2 server using graylog2-radio listening ports 12501 and 12502.
More guides in Graylog2 Category
Useful links: