更新於 2024/11/21閱讀時間約 10 分鐘

使用Graylog和Opensearch進行日誌管理和備份

近期專案需求,需要使用到Log工具,在效能、快速搭建、費用的考量下,決定使用Gray & Opensearch

創建 Graylog 和 Opensearch

1. 使用官方提供的Docker yaml檔就能快速建立,不過因為有備份需求,opensearch要增加快照設定

version: '3'
services:
opensearch:
image: "opensearchproject/opensearch:2.15.0"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
- "discovery.type=single-node"
- "path.repo=/home/mmsd/graylog" # 配置快照路徑
- "plugins.security.disabled=true"
ulimits:
memlock:
hard: -1
soft: -1
ports:
- "9203:9200"
- "9303:9300"
volumes:
- "opensearch:/usr/share/opensearch/data" # 數據卷
- "/path/on/host/graylog:/home/mmsd/graylog" # 快照存儲路徑
volumes:
opensearch:

2. 啟動Docker container

docker compose up -d

手動備份Log

1. Docker container啟動後,就建立快照存儲庫

curl -X PUT "http://localhost:9203/_snapshot/my_backup" -H 'Content-Type: application/json' -d'
{
"type": "fs",
"settings": {
"location": "/home/mmsd/graylog",
"compress": true
}
}'
  • 如果出現{"error":{"root_cause":[{"type":"exception","reason":"failed to create blob container"}],"type":"repository_verification_exception","reason":"[my_backup] path is not accessible on cluster-manager node","caused_by":{"type":"exception","reason":"failed to create blob container","caused_by":{"type":"access_denied_exception","reason":"/usr/share/opensearch/snapshot/tests-G5Qo2ODjTz6wqjlTiKsRDw"}}},"status":500}的錯誤,通常是因為容器對該路徑的權限不足,請參考權限不足解決方案

2.創建快照

curl -X PUT "http://localhost:9203/_snapshot/my_backup/snapshot_1"

3.確保快照已正確配置

curl -X GET "http://localhost:9203/_snapshot/my_backup?pretty"

4.確保 /path/on/host/graylog 目錄中能看到生成的快照文件

ls /path/on/host/graylog

5.備份索引

curl -X PUT "http://localhost:9203/_snapshot/my_backup/graylog_backup_$(date +%Y%m%d%H%M%S)?wait_for_completion=true" -H 'Content-Type: application/json' -d'
{
"indices": "graylog_0",
"ignore_unavailable": true,
"include_global_state": false
}'

6.刪除已備份的索引

curl -X DELETE "http://localhost:9203/graylog_0?pretty"

Recover Log data

1.關閉索引

curl -X POST "http://localhost:9203/graylog_0/_close?pretty"

2.Recover Log data

curl -X POST "http://localhost:9203/_snapshot/my_backup/graylog_backup/_restore" -H 'Content-Type: application/json' -d'
{
"indices": "graylog_0"
}'

3.重新開啟索引

curl -X POST "http://localhost:9203/graylog_0/_open?pretty"

自動備份

1.建立shell script

#!/bin/bash

# 備份索引
curl -X PUT "http://localhost:9203/_snapshot/my_backup/backup_$(date +%Y%m%d)?wait_for_completion=true" -H 'Content-Type: application/json' -d'
{
"indices": "graylog_*",
"ignore_unavailable": true,
"include_global_state": false
}'

# 刪除索引
curl -X DELETE "http://localhost:9203/graylog_0?pretty"

# 日誌
echo "$(date): Backup and deletion completed." >> /var/log/opensearch_backup.log

2.設定Cron Job

crontab -e
0 2 * * * /path/to/backup_script.sh

權限不足解決方案

排查與解決方式

1. 檢查宿主機目錄的權限

由於你使用的是 bind 挂载 /path/on/host/graylog:/home/mmsd/graylog,宿主機的目錄權限可能限制了 OpenSearch 的操作。

執行以下命令,檢查該目錄的所有者與權限:

ls -ld /path/on/host/graylog

假設輸出類似以下內容:

drwxr-xr-x 2 root root 4096 Nov 21 14:00 /path/on/host/graylog

可以看到,該目錄歸屬於 root,而 Docker 容器內的 OpenSearch 默認運行用戶不是 root,因此無法寫入。

2. 修改宿主機目錄的權限

給該目錄賦予容器的用戶寫入權限:

  • 改變目錄的擁有者 找到容器內的 OpenSearch 用戶 UID 和 GID,然後修改宿主機路徑的擁有者:
docker exec -it <opensearch_container_id> id

輸出類似:

uid=1000 gid=1000(opensearch)

在宿主機執行:

sudo chown -R 1000:1000 /path/on/host/graylog

3. 重啟 OpenSearch 容器

權限修改後,重新啟動容器:

docker compose restart opensearch

4. 重新創建快照存儲庫

再次執行 API 請求來創建快照存儲庫:

curl -X PUT "http://localhost:9203/_snapshot/my_backup" -H 'Content-Type: application/json' -d'
{
"type": "fs",
"settings": {
"location": "/home/mmsd/graylog",
"compress": true
}
}'
分享至
成為作者繼續創作的動力吧!
© 2024 vocus All rights reserved.