Skip to content

Instantly share code, notes, and snippets.

@kwmonroe

kwmonroe/graylog_cdk.md

Last active June 13, 2019 15:23
Show Gist options
  • Save kwmonroe/4755cff989833094eaf1817ca127963c to your computer and use it in GitHub Desktop.
Save kwmonroe/4755cff989833094eaf1817ca127963c to your computer and use it in GitHub Desktop.
Download ZIP
Graylog and CDK
Raw
graylog_cdk.md

With our Kubernetes cluster deployed, we need to add all the applications required for Graylog:

juju deploy bionic/graylog --constraints mem=7G
juju deploy bionic/elasticsearch --constraints mem=7G
juju deploy bionic/apache2
juju deploy bionic/filebeat
juju deploy bionic/mongodb

Now that all the software is deployed, connect the applications together so they can communicate:

juju relate apache2:reverseproxy graylog:website
juju relate graylog:elasticsearch elasticsearch:client
juju relate graylog:mongodb mongodb:database
juju relate filebeat:beats-host kubernetes-master:juju-info
juju relate filebeat:beats-host kubernetes-worker:juju-info
juju relate filebeat:logstash graylog:beats

At this point, all the applications can communicate with each other, but we have a bit more configuration to do:

juju config apache2 enable_modules="headers proxy_html proxy_http"
juju config apache2 vhost_http_template="$(base64 <vhost-tmpl>)"
juju config filebeat kube_logs=True

A sample reverse proxy template can be found at https://raw.githubusercontent.com/conjure-up/spells/master/charmed-kubernetes/addons/graylog/steps/01_install-graylog/graylog-vhost.tmpl.

Finally, you’ll want to expose apache2 to make the web interface accessible:

juju expose apache2

Now that we have everything deployed, related, configured, and exposed, you'll need to know the IP address and admin password so you can login:

juju status --format yaml apache2/0 | grep public-address
    public-address: <your-apache2-ip>
juju run-action --wait graylog/0 show-admin-password
    admin-password: <your-graylog-password>

Browse to http://<your-apache2-ip> and login with admin as the username and <your-graylog-password> as the password. Note: if the interface is not immediately available, please wait as the reverse proxy configuration may take up to 5 minutes to complete.

Once logged in, head to the Sources tab to get an overview of the logs collected from our K8s master and workers:

Screen Shot 2019-06-13 at 9 31 54 AM

Drill into those logs by clicking the System / Inputs tab and selecting Show received messages for the filebeat input. An example message from the CDK audit log looks like this:

Screen Shot 2019-06-13 at 10 21 01 AM

Another example, showing the details of an influxdb container log:

Screen Shot 2019-06-13 at 10 19 55 AM

From here, you may want to play around with various filters or setup Graylog dashboards to help identify the events that are most important to you. Check out the Graylog Dashboard docs for details on customizing your view.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment