Centralized logging using Graylog

Scenario

Consider your environment has a number of servers. Whenever there is an issue being reported, you have to manually log into each server and check logs to troubleshoot it. Searching for a particular error across hundreds of log files on hundreds of servers becomes a pain if the environment grows bigger. Moreover, there is no way to alert if there is any occurrence of error / abnormal activity in the log files unless the issue is being reported by the application team or after the service becomes unavailable.

Solution:

A common approach to this problem is to setup a centralized logging solution so that multiple logs can be aggregated in a central location. The advantage is not just about centralizing these logs, but getting a better insight of what each system is doing at any point in time. We can parse custom logs using grok pattern or regex and create fields. Segregating the logs using fields helps to slice and dice the log data which in turn helps in doing various analysis. Centralized logging plays a major role as part of operations troubleshooting and analysis.

What we will do?

In this article, we will see end to end setup and implementation of graylog. We will be integrating,

• syslog of all the servers to graylog
• nginx access and error logs to graylog
• apache log to graylog
• mysql slow query log to graylog
• setup Geo Location to resolve IPs
• setup alert based on conditions
• setup user access control by creating roles

Read the full article here