Elasticsearch：用于日志索引、存储和分析(消耗内存和磁盘)
Graylog：数据处理,日志展示,日志报警等(消耗CPU,相当于Logstash+Kibana+报警系统)
filebeat：轻量级日志采集工具
sidecar：管理,监控和配置filebeat
mongodb：存储graylog的配置

Syslog (TCP, UDP, AMQP, Kafka)
GELF (TCP, UDP, AMQP, Kafka, HTTP)
AWS (AWS Logs, FlowLogs, CloudTrail)
Beats/Logstash
CEF (TCP, UDP, AMQP, Kafka)
JSON Path from HTTP API
Netflow (UDP)
Plain/Raw Text (TCP, UDP, AMQP, Kafka)

is_master = true 
password_secret = <secret>
root_username = admin
root_password_sha2 = <SHA2>
root_timezone = +08:00
http_bind_address = 192.168.10.13:9000
http_publish_uri = http://192.168.10.13:9000/
web_listen_uri = http://192.168.10.13:9000/
rest_listen_uri = http://192.168.10.13:9000/api/
elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200
mongodb_uri = mongodb://localhost/graylog,mongodb://grayloguser:secret@localhost:27017/graylog,mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog?replicaSet=rs01

is_master：若运行多个graylog(或集群),则必须指定一个master节点
password_secret：多个server之间认证,对密码进行加盐处理,若多个server,则都要配置一样的(pwgen -N 1 -s 96 生成)
root_username：默认root用户登录密码
root_password_sha2：登陆密码sha2加密,改密码不能再web上更改,只能再此处修改(echo -n "password" && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1 生成) 
http_bind_address：server监听地址
http_publish_uri：server对公开地址(web能够访问地址)
elasticsearch_hosts：es集群地址
mongodb_uri：mongodb集群地址
root_timezone：设置集群时区
rest_listen_uri：接受Graylog Collector Sidecar发送的心跳信息地址
web_listen_uri：graylog-web访问地址

vim /etc/sysctl.conf
vm.swappiness = 1
vm.max_map_count = 655360
sysctl -p 

docker run --name mongo -d mongo:3
docker run --name elasticsearch -e "http.host=0.0.0.0" -e "ES_JAVA_OPTS=-Xms4096m -Xmx4096m" -d docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.5
docker run --name graylog --link mongo --link elasticsearch     -p 9000:9000 -p 12201:12201 -p 1514:1514     -e GRAYLOG_HTTP_EXTERNAL_URI="http://192.168.1.10:9000/"  -e GRAYLOG_HTTP_PUBLISH_URI="http://192.168.1.10:9000/"   -d graylog/graylog:3.2

http://192.168.1.10:9000/
默认密码：admin,admin

rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-sidecar-repository-1-2.noarch.rpm
yum install graylog-sidecar -y

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.2-x86_64.rpm
yum install -y filebeat-7.6.2-x86_64.rpm

获取server_api_token：  system --> sidecars --> "Create or reuse a token for the graylog-sidecar user"

输入token名称(graylog-sidecar)  --> create token --> Copy to cliboard(1ki9t9c2ofu7fka2kkb5uo5vm8ggirlmm5e2df00rrs0jec1nbut)

System --> Inputs --> Beats --> Launch new input -->选择node(Node/85517427) --> 填写Title(pods-logs) --> port(1514/启动graylog暴露的端口号) --> TCP keepalive(选中该选项) --> Do not add Beats type as prefix(去掉多余的前缀)

System --> Sidecars --> Configuration --> Clone(filebeat/linux一行点击moreactions) --> edit(选择新clone的collector) --> Name(collector名称) --> 修改日志路径和output端口号 -->Update

System --> Sidecars --> Configuration --> Createfiguration --> Name --> 选择颜色(用于区别配置文件) --> 选择刚才创建的collector --> 查看配置文件是否正确 --> 点击Create

server_url: "http://192.168.1.10:9000/api/"
server_api_token: "1ki9t9c2ofu7fka2kkb5uo5vm8ggirlmm5e2df00rrs0jec1nbut"
send_status: true
log_rotate_max_file_size:"10MiB"
log_rotate_keep_files: 10

server_url：server web地址
server_api_token：用于授权访问graylog api的token(填写刚才web界面获取到的token)
send_status：发送采集器状态给graylog
log_rotate_max_file_size：sidecar自身日志切割(默认10M切割一次)
log_rotate_keep_files：日志保留分数(默认保留十份)

graylog-sidecar -service install
systemctl start graylog-sidecar

System --> Sidecars -->Administration --> pods-logs(左边选择该节点要应用的collector) --> Configure(右边选项选择pods-logs配置) --> Confirm(弹窗点击该按钮)

在/var/log/containers 下创建两个文件tomcat-base-service.log，springboot-base-api.log
tomcat-base-service.log 写入 "tomcat base服务程序日志监控正常"
往springboot-base-api.log写入"springboot api程序日志监控正常"

echo "tomcat base服务程序日志监控正常" >tomcat-base-service.log
echo "springboot api程序日志监控正常" >springboot-base-api.log