https://wiki.tsnocode.dev/index.php?action=history&feed=atom&title=Graylog-sidecar_setupGraylog-sidecar setup - Revision history2026-04-11T12:37:12ZRevision history for this page on the wikiMediaWiki 1.37.0https://wiki.tsnocode.dev/index.php?title=Graylog-sidecar_setup&diff=6498&oldid=prevTvi: Skrevet guide fra docs over2022-03-03T13:47:40Z<p>Skrevet guide fra docs over</p>
<p><b>New page</b></p><div>Start i Graylog.<br />
<br />
* Sæt et nyt index op (System > Indices)<br />
* Sæt et nyt Stream op (Streams)<br />
** Tilføj en regel om at <code>filebeat_collector_node_id</code> skal matche <code>node_name</code> (sat længere nede)<br />
** Start stream<br />
* Opret en <code>server_api_token</code> (System > Users and Teams > Sidecar System User (built-in) > Edit tokens)<br />
<br />
Installer sidecar og collector på den nye node<br />
<br />
* Installer graylog-sidecar (original: https://docs.graylog.org/docs/sidecar)<br />
** <code>sudo rpm -Uvh <nowiki>https://packages.graylog2.org/repo/packages/graylog-sidecar-repository-1-2.noarch.rpm</nowiki></code><br />
** <code>sudo yum install graylog-sidecar</code><br />
* Ret opsætningen<br />
** <code>sudo nano /etc/graylog/sidecar/sidecar.yml</code><br />
** Sæt <code>node_name</code> på sidecar.<br />
** Sæt <code>server_url</code> til <nowiki>https://graylog.tempusserva.dk</nowiki><br />
** Sæt <code>server_api_token</code><br />
** Sæt <code>send_status</code> til true<br />
** Tilføj tomcat logs til <code>list_log_files</code> (fx til: “/usr/share/tomcat8/logs/”)<br />
* Sæt graylog-sidecar til at starte automatisk<br />
** <code>sudo graylog-sidecar -service install</code><br />
** <code>sudo systemctl start graylog-sidecar</code> eller <code>sudo /etc/init.d/graylog-sidecar start</code><br />
* Installer filebeat (original: https://www.elastic.co/guide/en/beats/filebeat/7.16/setup-repositories.html#_yum)<br />
** <code>sudo rpm --import <nowiki>https://packages.elastic.co/GPG-KEY-elasticsearch</nowiki></code><br />
* Tilføj repo<br />
** <code>sudo nano /etc/yum.repos.d/elastic.repo</code><br />
** Paste:<br />
*** <code>[elastic-7.x]</code> <code>name=Elastic repository for 7.x packages</code> <code>baseurl=<nowiki>https://artifacts.elastic.co/packages/oss-7.x/yum</nowiki></code> <code>gpgcheck=1</code> <code>gpgkey=<nowiki>https://artifacts.elastic.co/GPG-KEY-elasticsearch</nowiki></code> <code>enabled=1</code> <code>autorefresh=1</code> <code>type=rpm-md</code><br />
* Installer<br />
** <code>sudo yum install filebeat</code><br />
** <code>sudo chkconfig --add filebeat</code><br />
<br />
Giv ny sidecar’s IP adgang til at forbinde, i apache og amazon. (Find med <code>wget -qO - <nowiki>https://icanhazip.com</nowiki>)</code><br />
<br />
Tilføj en Collector i graylog (System > Sidecars > [<code>node_name</code>] > Manage sidecar)<br />
<br />
* Sæt hak ud for Filebeat<br />
* Klik på Configure oppe til højre<br />
* Sæt hak ud for den korrekte config<br />
* Gem.<br />
<br />
Sæt alerts op<br />
<br />
* Filter search-query:<br />
** <code>(message:/.*[A-Za-z0-9]Exception.*/ OR Severity:SEVERE) AND NOT message:"Context is read only" AND NOT message:"SEVERE: null" AND NOT msg:"<" AND NOT msg:/.*(protocol|target|name) \[.*/ AND NOT Thread:/http-nio-.*/ AND NOT msg:/Failed to start connector.*/ AND NOT msg:/Invalid Addresses/ AND NOT msg:/com.sun.mail.smtp.SMTPAddressFailedException: 450 4.7.1.*/</code></div>Tvi