ELK 日志系统实战:集中化日志管理的完整方案
随着服务器数量增长,分散在各个服务器上的日志越来越难以管理。ELK(Elasticsearch + Logstash + Kibana)是业界最流行的日志收集和分析解决方案。本文详细介绍 ELK 系统的搭建和优化实践。
一、ELK 架构介绍
- Elasticsearch:分布式搜索引擎,负责存储和索引日志
- Logstash:数据收集和处理管道
- Kibana:可视化分析界面
- Beats:轻量级数据采集器(Filebeat、Metricbeat 等)
二、环境准备
# 安装 Java(Elasticsearch 需要) sudo apt update sudo apt install openjdk-11-jdk # 验证安装 java -version
三、安装 Elasticsearch
# 添加 Elasticsearch 仓库 wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list # 安装 Elasticsearch sudo apt update sudo apt install elasticsearch # 配置 Elasticsearch sudo vim /etc/elasticsearch/elasticsearch.yml cluster.name: my-logs node.name: node-1 network.host: 0.0.0.0 http.port: 9200 discovery.type: single-node # 启动 Elasticsearch sudo systemctl start elasticsearch sudo systemctl enable elasticsearch # 验证安装 curl http://localhost:9200
四、安装 Logstash
# 安装 Logstash
sudo apt install logstash
# 配置 Logstash(输入 - 过滤 - 输出)
sudo vim /etc/logstash/conf.d/syslog.conf
input {
beats {
port => 5044
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGBASE} %{GREEDYDATA:syslog_message}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "syslog-%{+YYYY.MM.dd}"
}
}
# 启动 Logstash
sudo systemctl start logstash
sudo systemctl enable logstash
五、安装 Kibana
# 安装 Kibana sudo apt install kibana # 配置 Kibana sudo vim /etc/kibana/kibana.yml server.host: "0.0.0.0" server.port: 5601 elasticsearch.hosts: ["http://localhost:9200"] # 启动 Kibana sudo systemctl start kibana sudo systemctl enable kibana # 访问 Kibana:http://localhost:5601
六、安装 Filebeat(客户端)
# 在每台需要收集日志的服务器上安装 Filebeat
sudo apt install filebeat
# 配置 Filebeat
sudo vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/syslog
- /var/log/auth.log
fields:
type: syslog
fields_under_root: true
output.logstash:
hosts: ["logstash-server:5044"]
# 启动 Filebeat
sudo systemctl start filebeat
sudo systemctl enable filebeat
七、Nginx 日志收集配置
# 修改 Nginx 日志格式为 JSON
http {
log_format json_combined escape=json '{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status": "$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"request_time":"$request_time",'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent"'
'}';
access_log /var/log/nginx/access.log json_combined;
}
# Filebeat 配置
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.add_error_key: true
fields:
type: nginx
八、Kibana 仪表盘配置
- 访问 Kibana:http://localhost:5601
- 进入 Management -> Stack Management -> Index Patterns
- 创建索引模式:syslog-* 或 nginx-*
- 选择时间字段:@timestamp
- 进入 Discover 页面查看日志
- 创建可视化图表和仪表盘
九、日志查询示例
# Kibana Query Language(KQL) status:500 # 查询状态码 500 response_time:>1 # 查询响应时间大于 1 秒 remote_addr:"192.168.1.1" # 查询特定 IP message:*error* # 查询包含 error 的日志
十、性能优化
1. Elasticsearch 优化
# 配置 JVM 堆内存 sudo vim /etc/elasticsearch/jvm.options -Xms4g -Xmx4g # 设置为物理内存的 50% # 设置刷新间隔 index.refresh_interval: 30s
2. Logstash 优化
# 增加管道工作线程数 pipeline.workers: 4 pipeline.batch.size: 125 pipeline.batch.delay: 50
3. 使用 Kafka 作为缓冲
input {
kafka {
bootstrap_servers => "localhost:9092"
topics => ["logs"]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
十一、日志告警
# 使用 ElastAlert 实现日志告警
pip install elastalert
# 配置告警规则
vim /etc/elastalert/rules/error_alert.yaml
name: Error Alert
type: frequency
index: syslog-*
num_events: 10
timeframe:
minutes: 5
filter:
- term:
level: "error"
alert:
- "email"
email:
- "admin@example.com"
十二、日志归档与清理
# 配置 ILM(索引生命周期管理)
PUT _ilm/policy/logs_policy
{
"policy": {
"phases": {
"hot": {
"actions": {
"rollover": {
"max_size": "50GB",
"max_age": "1d"
}
}
},
"warm": {
"min_age": "7d",
"actions": {
"forcemerge": {
"max_num_segments": 1
}
}
},
"delete": {
"min_age": "30d",
"actions": {
"delete": {}
}
}
}
}
}
总结
ELK 日志系统是集中化日志管理的强大工具。通过合理配置 Elasticsearch、Logstash、Kibana 和 Filebeat,可以构建一个完整的日志收集、存储、分析和可视化平台。建议根据实际需求进行性能优化和容量规划,确保系统稳定运行。