Professional Documents
Culture Documents
High Availability Log Processing With Graylog, MongoDB and ElasticSearch
High Availability Log Processing With Graylog, MongoDB and ElasticSearch
Request
Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Demo
started
Chat
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 1/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Request
Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Demo
started
B LO G
started
In this blog post, we are going to deploy a Graylog cluster, with a MongoDB
Replica Set deployed using ClusterControl. We will configure the Graylog cluster
to be able to collect syslog from several devices through a load balanced syslog
TCP running on HAProxy. This is to allow high availability single endpoint access
with auto failover in case if any of the Graylog servers goes down.
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 3/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Request
Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Demo
started
Prerequisites
All hosts are running on CentOS 7.1 64 bit with SElinux and iptables disabled. The
following is the host definition inside /etc/hosts:
$ wget https://severalnines.com/downloads/cmon/install-cc
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 4/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
$ wget https://severalnines.com/downloads/cmon/install cc
$ chmod 755 install-cc Request
Get
Sovereign DBaaS
$ ./install-cc Products Pricing Case Studies Resources Support Demo
started
ssh-keygen -t rsa
ssh-copy-id 192.168.55.200
ssh-copy-id 192.168.55.201
ssh-copy-id 192.168.55.202
ssh-copy-id 192.168.55.203
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 5/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Request
Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Demo
started
started
Once deployed, we need to create a database user for graylog. Login to the
MongoDB console on the PRIMARY MongoDB Replica Set node (you can
determine the role under the ClusterControl Overview page). In this example, it
was graylog1.local:
Verify that the user is able to access the graylog2 schema on another replica set
member (e.g. 192.168.55.202 was in SECONDARY state):
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 7/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Request
Deploying ElasticSearch
Sovereign DBaaS Products Cluster
Pricing Case Studies Resources Support Demo
Get
started
$ wget https://download.elastic.co/elasticsearch/elastics
cluster.name: graylog-elasticsearch
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: ["graylog1.local", "gra
discovery.zen.minimum_master_nodes: 2
network.host: 192.168.55.203
Start the ElasticSearch daemon: started
started
"name" : "American Eagle",
"transport_address" : "inet[/192.168.55.201:9300]",
"attributes" : { }
},
"_WSvA3gbQK2A4v17BUWPug" : {
"name" : "Scimitar",
"transport_address" : "inet[/192.168.55.202:9300]",
"attributes" : { }
}
},
"metadata" : {
"templates" : { },
"indices" : { }
},
"routing_table" : {
"indices" : { }
},
"routing_nodes" : {
"unassigned" : [ ],
"nodes" : {
"_WSvA3gbQK2A4v17BUWPug" : [ ],
"BwQd98BnTBWADDjCvLQ1Jw" : [ ],
"7djnRL3iR-GJ5ARI8eIwGQ" : [ ]
}
},
"allocations" : [ ]
}
started
Deploying Graylog Cluster
The following steps should be performed on graylog1, graylog2 and graylog3.
Generate a SHA sum for our Graylog admin password using the
following command:
password_secret = password
root password sha2 = 5e884898da28047151d0e56f8dc629277360
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 11/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
_p _
rest_listen_uri = http://0.0.0.0:12900/ Request
Get
Sovereign DBaaS Products
elasticsearch_cluster_name Pricing Case Studies
= graylog-elasticsearch Resources Support Demo
started
elasticsearch_discovery_zen_ping_multicast_enabled = fals
elasticsearch_discovery_zen_ping_unicast_hosts = graylog1
mongodb_uri = mongodb://grayloguser:password@192.168.55.2
$ tail /var/log/graylog-server/server.log
2016-03-03T14:17:42.655+08:00 INFO [ServerBootstrap] Ser
2016-03-03T14:17:42.658+08:00 INFO [ServerBootstrap] Gra
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 12/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Request
Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Demo
Install Graylog web UI and Java OpenJDK: started
graylog2-server.uris="http://192.168.55.201:12900/,http:/
application.secret="eb6aebdeedfb2fa05742d8ca733b5a2c"
started
Our Graylog suite is ready. Let’s configure some inputs so it can start capturing log
streams and messages.
Configuring Inputs
To start capturing syslog data, we have to configure Inputs. Go to Graylog UI >
System / Overview > Inputs. Since we are going to load balance the inputs via
HAProxy, we need to configure the syslog input listeners to be running on TCP
(HAProxy does not support UDP).
On the dropdown menu, choose “Syslog TCP” and click “Launch New Input”. In the
input dialog, configure as follows:
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 14/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Leave the rest of the options as default and click “Launch”. We have to configure Request
Get
syslog port to be higherSovereign
than 1024 because
DBaaS Graylog server
Products Pricingis running as user
Case Studies Resources Support Demo
started
“java”. You need to be root to bind sockets on ports 1024 and below on most *NIX
systems. You could also try to give permission to the local user then runs graylog2-
server to bind to those restricted ports, but usually just choosing a higher port is
the easiest solution.
Once configured, you should notice the Global Input is running as shown in the
following screenshot:
At this point, each Graylog server is now listening on TCP port 51400 for incoming
syslog data. You can start configuring the devices to forward the syslog stream to
the Graylog servers. The following lines show an example of rsyslog.conf
configuration to start forwarding the syslog message to Graylog servers via TCP:
*.* @@192.168.55.201:51400
*.* @@192.168.55.202:51400
*.* @@192.168.55.203:51400
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 15/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
In the above example, rsyslog only sends to the secondary server if the first one Request
fails. But there is also a Sovereign
neat way DBaaS
to provide a high availability Get
Products Pricing single endpoint
Case Studies with
Resources Support Demo
started
auto failover using a load balancer. The load balancer performs the health check on
Graylog servers to check if the syslog service is alive, it will also take the dead
nodes out of the load balancing set.
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 16/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
group haproxy
Request
daemon Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Demo
stats socket /var/lib/haproxy/stats started
defaults
mode http
log global
option dontlognull
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
userlist STATSUSERS
group admin users admin
user admin insecure-password password
user stats insecure-password PASSWORD
listen syslog_tcp_514 started
bind *:514
mode tcp
timeout client 120s
timeout server 120s
default-server inter 2s downinter 5s rise 3 fall 2
server graylog1 192.168.55.201:51400 check
server graylog2 192.168.55.202:51400 check
server graylog3 192.168.55.203:51400 check
Our syslog service is now load balanced between three Graylog servers on TCP
port 514. Next we configure our devices to start sending out syslog messages over
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 18/23
p
02/04/2024, 15:38
g g y g g
High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
started
Configuring Syslog TCP Clients
In this example, we are going to use rsyslog on a standard Linux box to forward
syslog messages to the load balanced syslog servers.
*.* @@192.168.55.200:514
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 19/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Request
Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Demo
started
We now have a highly available log processing cluster with Graylog, MongoDB
Replica Set, HAProxy and ElasticSearch cluster.
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 20/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Request
Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Demo
Notes
started
This setup does not cover high availability for Graylog web UI, HAProxy and
ClusterControl. In order to achieve full resilient setup, we have to have another
node to serve as the secondary HAProxy and Graylog web UI with virtual IP
address using Keepalived.
For ClusterControl redundancy, you have to setup a standby ClusterControl
server to get higher availability.
Subscribe below
to be notified of
fresh posts
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 21/23
fresh posts
02/04/2024, 15:38
started
MySQL NDB
I'm not a robot
MySQL Galera reCAPTCHA
Privacy - Terms
Redis
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 22/23
02/04/2024, 15:38 High Availability Log Processing with Graylog, MongoDB and ElasticSearch | Severalnines
Request
Get
Sovereign DBaaS Products Pricing Case Studies Resources Support Subscribe
Demo
started
Severalnines, ClusterControl, and CCX are registered trademarks in the US, UK, and EU. Privacy Policy Terms and Conditions
https://severalnines.com/blog/high-availability-log-processing-graylog-mongodb-and-elasticsearch/ 23/23