Tested On
OS: CentOS 6.3 x86_64
Graylog2-Server Version: 0.11.0
Graylog2-web-interface: 0.11.0
Graylog2-Radio: 0.10.0
Hardware: Virtual Box 4.2.8
About
Graylog2-Radio is an add-on for Graylog2-Server that help you send your logs to an AMQP topic exchange.
With Graylog2-Radio you can avoid problems such as full buffers and rejected messages and also you can stop your graylog2-server without losing any message because they are getting written to an AMQP server.
What graylog2-radio does is listen to a tcp/udp port for syslog or gelf messages and publish them in an AMQP exchange, then graylog2-server can be configured to consume these messages and store them in elasticsearch.
In this guide I will show how to install graylog2 radio, rabbitmq and configure your graylog2-server to consume messages from rabbitmq.
I am going to use one server for all roles but it’s recommended to use different servers.
Prerequisite
- Ready to use graylog2-server. You can use the this Graylog2 Installation guide
Install Graylog2-Radio
- Install RabbitMQ server using the following guide: RabbitMQ Installation
- Download and extract graylog2-radio
mkdir /usr/local/src/graylog2 cd /usr/local/src/graylog2 wget https://download.graylog2.org/graylog2-radio/graylog2-radio-1.0.0.tar.gz -O graylog2-radio.tar.gz tar zxf graylog2-radio.tar.gz rm -f graylog2-radio.tar.gz mv graylog2-radio-* /opt/graylog2-radio cd /opt/graylog2-radio
- Create configuration files for graylog2-radio
cp graylog2-radio.conf.example /etc/graylog2-radio.conf cp graylog2-radio-inputs.conf.example /etc/graylog2-radio-inputs.conf
- Check that AMQP configuration is suitable to your RabbitMQ server
vi /etc/graylog2-radio.conf
- Configure graylog2-radio-inputs file to listen to gelf and syslog messages
vi /etc/graylog2-radio-inputs.conf
udp gelflogs 0.0.0.0 12501 udp systemlogs 0.0.0.0 12502
- Create graylog2-radio start script
vi /etc/init.d/graylog2-radio
#!/bin/bash
#
# graylog2-radio: graylog2 AMQP producer
#
# chkconfig: - 98 02
# description: This daemon start graylog2-radio
#
# Source function library.
. /etc/rc.d/init.d/functions
CMD=$1
NOHUP=`which nohup`
STOP_TIMEOUT=30
BINARY=java
PROG=graylog2-radio
HOME_DIR=/opt/graylog2-radio
LOG_FILE=${HOME_DIR}/log/${PROG}.log
JAR_FILE=graylog2-radio.jar
CONF_FILE=/etc/graylog2-radio.conf
PID_FILE=/var/run/graylog2-radio.pid
start() {
graylog2_status > /dev/null 2>&1
if [ ${RETVAL} -eq 3 ]
then
echo "Starting ${PROG} ..."
cd ${HOME_DIR}
$NOHUP > /dev/null 2>&1 ${BINARY} -jar ${JAR_FILE} -f ${CONF_FILE} -p ${PID_FILE} >> ${LOG_FILE} &
RETVAL=0
else
echo "${PROG} is already running"
fi
}
stop() {
echo -n $"Stopping $PROG: "
killproc -p ${PID_FILE} -d ${STOP_TIMEOUT} ${PROG}
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${PID_FILE}
}
graylog2_status() {
status -p ${PID_FILE} ${PROG}
RETVAL=$?
}
restart() {
echo "Restarting ${PROG} ..."
stop
start
}
case "$CMD" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
graylog2_status
;;
*)
echo "Usage $0 {start|stop|restart|status}"
RETVAL=1
esac
exit ${RETVAL}
- Configure graylog2-radio to start at boot and start it
chmod +x /etc/init.d/graylog2-radio chkconfig --add graylog2-radio chkconfig graylog2-radio on service graylog2-radio start
- Configure RabbitMQ credentials in your graylog2 server
vi /etc/graylog2.conf
... # AMQP amqp_enabled = true amqp_host = localhost amqp_port = 5672 amqp_username = guest amqp_password = guest amqp_virtualhost = / ...
- Restart graylog2-server to apply new AMQP configuration
service graylog2-server restart
- Browse to your graylog2 web interface and configure on which exchange your graylog2 server should listen for which messages type:
- In graylog2 web interface go to Setting -> AMQP
- Add new AMQP configuration for gelf messages: Exchange=messages, Routing Key=gelflogs, Type=GELF
- Add another AMQP configuration for syslog messages: Exchange=messages, Routing Key=systemlogs, Type=syslog
That’s all. Now you need to configure your servers to send logs to graylog2 server using graylog2-radio listening ports 12501 and 12502.
More guides in Graylog2 Category
Useful links: