内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
风哥提示:
本文档介绍大规模日志管理平台的搭建方法。
Part01-ELK Stack部署
1.1 安装Elasticsearch
[root@elk-master ~]# cat > /etc/yum.repos.d/elasticsearch.repo << 'EOF' [elasticsearch] name=Elasticsearch repository for 8.x packages baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF # 安装Elasticsearch [root@elk-master ~]# dnf install -y elasticsearch Updating Subscription Management repositories. Last metadata expiration check: 0:05:23 ago on Fri Apr 4 14:35:00 2026. Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: elasticsearch x86_64 8.8.0-1 elasticsearch 500 M Transaction Summary ================================================================================ Install 1 Package Total download size: 500 M Installed size: 1.0 G Downloading Packages: elasticsearch-8.8.0-1.x86_64.rpm 50 MB/s | 500 MB 00:10 -------------------------------------------------------------------------------- Total 50 MB/s | 500 MB 00:10 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: elasticsearch-8.8.0-1.x86_64.rpm 1/1 Installing : elasticsearch-8.8.0-1.x86_64.rpm 1/1 Running scriptlfrom PG视频:www.itpux.comet: elasticsearch-8.8.0-1.x86_64.rpm 1/1 Verifying : elasticsearch-8.8.0-1.x86_64.rpm 1/1 Installed: elasticsearch-8.8.0-1.x86_64 Complete! # 配置Elasticsearch [root@elk-master ~]# cat > /etc/elasticsearch/elasticsearch.yml << 'EOF' cluster.name: elk-cluster node.name: elk-master path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 discovery.seed_hosts: ["192.168.1.10", "192.168.1.11", "192.168.1.12"] cluster.initial_master_nodes: ["elk-master"] xpack.security.enabled: false xpack.security.enrollment.enabled: false xpack.security.http.ssl.enabled: false xpack.security.transport.ssl.enabled: false EOF # 调整JVM内存 [root@elk-master ~]# sed -i 's/-Xms1g/-Xms4g/' /etc/elasticsearch/jvm.options [root@elk-master ~]# sed -i 's/-Xmx1g/-Xmx4g/' /etc/elasticsearch/jvm.options # 启动Elasticsearch [root@elk-master ~]# systemctl enable --now elasticsearch Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service. # 验证Elasticsearch [root@elk-master ~]# curl http://localhost:9200 { "name" : "elk-master", "cluster_name" : "elk-cluster", "cluster_uuid" : "12345678-90ab-cdef-1234-567890abcdef", "version" : { "number" : "8.8.0", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "1234567890abcdef", "build_date" : "2026-04-01T00:00:00.000000000Z", "build_snapshot" : false, "lucene_version" : "9.6.0", "minimum_wire_compatibility_version" : "7.17.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "You Know, for Search" } # 查看集群状态 [root@elk-master ~]# curl http://localhost:9200/_cluster/health?pretty { "cluster_name" : "elk-cluster", "status" : "green", "timed_out" : false, "number_of_nodes" : 1, "number_of_data_nodes" : 1, "active_primary_shards" : 0, "active_shards" : 0, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 }
1.2 安装Logstash
[root@elk-master ~]# dnf install -y logstash
Updating Subscription Management repositories.
Last metadata expiration check: 0:05:23 ago on Fri Apr 4 14:40:00 2026.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
logstash noarch 8.8.0-1 elasticsearch 300 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 300 M
Installed size: 600 M
Downloading Packages:
logstash-8.8.0-1.noarch.rpm 30 MB/s | 300 MB 00:10
——————————————————————————–
Total 30 MB/s | 300 MB 00:10
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : logstash-8.8.0-1.noarch 1/1
Running scriptlet: logstash-8.8.0-1.noarch 1/1
Verifying : logstash-8.8.0-1.noarch 1/1
Installed:
logstash-8.8.0-1.noarch
Complete!
# 配置Logstash管道
[root@elk-master ~]# cat > /etc/logstash/conf.d/syslog.conf << 'EOF'
input {
beats {
port => 5044
}
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == “syslog” {
grok {
match => { “message” => “%{SYSLOGBASE2}” }
}
date {
match => [ “timestamp”, “MMM d HH:mm:ss”, “MMM dd HH:mm:ss” ]
}
}
if [type] == “nginx-access” {
grok {
match => { “message” => “%{COMBINEDAPACHELOG}” }
}
date {
match => [ “timestamp”, “dd/MMM/yyyy:HH:mm:ss Z” ]
}
}
if [type] == “mysql-slow” {
grok {
match => { “message” => “^# User@Host: %{USER:user}\[%{USER:user2}\] @ %{HOSTNAME:hostname} \[%{IP:ip}\]” }
}
}
}
output {
elasticsearch {
hosts => [“http://localhost:9200”]
index => “logstash-%{type}-%{+YYYY.MM.dd}”
}
if “_grokparsefailure” in [tags] {
file {
path => “/var/log/logstash/grokparsefailure.log”
}
}
}
EOF
# 启动Logstash
[root@elk-master ~]# systemctl enable –now logstash
Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /usr/lib/systemd/system/logstash.service.
# 验证Logstash
[root@elk-master ~]# systemctl status logstash
● logstash.service – logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; preset: disabled)
Active: active (running) since Fri 2026-04-04 14:45:00 CST; 10s ago
Main PID: 12345 (java)
Tasks: 20 (limit: 11232)
Memory: 500.0M
CGroup: /system.slice/logstash.service
└─12345 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC …
Part02-Kibana可视化
2.1 安装Kibana
[root@elk-master ~]# dnf install -y kibana
Updating Subscription Management repositories.
Last metadata expiration check: 0:05:23 ago on Fri Apr 4 14:45:00 2026.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
kibana x86_64 8.8.0-1 elasticsearch 200 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 200 M
Installed size: 400 M
Downloading Packages:
kibana-8.8.0-1.x86_64.rpm 20 MB/s | 200 MB 00:10
——————————————————————————–
Total 20 MB/s | 200 MB 00:10
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: kibana-8.8.0-1.x86_64.rpm 1/1
Installing : kibana-8.8.0-1.x86_64.rpm 1/1
Running scriptlet: kibana-8.8.0-1.x86_64.rpm 1/1
Verifying : kibana-8.8.0-1.x86_64.rpm 1/1
Installed:
kibana-8.8.0-1.x86_64
Complete!
# 配置Kibana
[root@elk-master ~]# cat > /etc/kibana/kibana.yml << 'EOF'
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
kibana.index: ".kibana"
i18n.locale: "zh-CN"
EOF
# 启动Kibana
[root@elk-master ~]# systemctl enable --now kibana
Created symlink /etc/systemd/system/multi-user.target.wants/kibana.service → /usr/lib/学习交流加群风哥微信: itpux-comsystemd/system/kibana.service.
# 验证Kibana
[root@elk-master ~]# curl http://localhost:5601/api/status | jq
{
"name": "elk-master",
"uuid": "12345678-90ab-cdef-1234-567890更多学习教程公众号风哥教程itpux_comabcdef",
"version": {
"number": "8.8.0",
"build_hash": "1234567890abcdef",
"build_number": 12345,
"build_snapshot": false
},
"status": {
"overall": {
"level": "available",
"summary": "All services are available"
}
}
}
2.2 配置Filebeat
[root@web-server ~]# dnf install -y filebeat
Updating Subscription Management repositories.
Last metadata expiration check: 0:05:23 ago on Fri Apr 4 14:50:00 2026.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
filebeat x86_64 8.8.0-1 elasticsearch 20 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 20 M
Installed size: 50 M
Downloading Packages:
filebeat-8.8.0-1.x86_64.rpm 10 MB/s | 20 MB 00:02
——————————————————————————–
Total 10 MB/s | 20 MB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
学习交流加群风哥QQ113257174Installing : filebeat-8.8.0-1.x86_64.rpm 1/1
Running scriptlet: filebeat-8.8.0-1.x86_64.rpm 1/1
Verifying : filebeat-8.8.0-1.x86_64.rpm 1/1
Installed:
filebeat-8.8.0-1.x86_64
Complete!
# 配置Filebeat
[root@web-server ~]# cat > /etc/filebeat/filebeat.yml << 'EOF'
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/messages
fields:
type: syslog
fields_under_root: true
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
fields:
type: nginx-access
fields_under_root: true
- type: log
enabled: true
paths:
- /var/log/nginx/error.log
fields:
type: nginx-error
fields_under_root: true
output.logstash:
hosts: ["192.168.1.10:5044"]
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
EOF
# 启动Filebeat
[root@web-server ~]# systemctl enable --now filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service.
# 验证Filebeat
[root@web-server ~]# filebeat test output
logstash: 192.168.1.10:5044...
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.1.10
dial up... OK
TLS... WARN secure connection disabled
talk to server... OK
Part03-日志分析实战
3.1 创建索引模式
[root@elk-master ~]# curl -X POST “http://localhost:5601/api/saved_objects/index-pattern” \
-H “kbn-xsrf: true” \
-H “Content-Type: application/json” \
-d ‘{
“attributes”: {
“title”: “logstash-*”,
“timeFieldName”: “@timestamp”
}
}’
{
“id”: “logstash-*”,
“type”: “index-pattern”,
“attributes”: {
“title”: “logstash-*”,
“timeFieldName”: “@timestamp”
}
}
# 查看索引
[root@elk-master ~]# curl http://localhost:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open logstash-syslog-2026.04.04 12345678-90ab-cdef-12 1 0 1000 0 1.2mb 1.2mb
green open logstash-nginx-access-2026.04.04 12345678-90ab-cdef-34 1 0 5000 0 5.0mb 5.0mb
green open .kibana_1 12345678-90ab-cdef-56 1 0 10 0 100.0kb 100.0kb
# 搜索日志
[root@elk-master ~]# curl -X GET “http://localhost:9200/logstash-*/_search?pretty” \
-H “Content-Type: application/json” \
-d ‘{
“query”: {
“match”: {
“message”: “error”
}
},
“size”: 5
}’
{
“took” : 10,
“timed_out” : false,
“_shards” : {
“total” : 2,
“successful” : 2,
“skipped” : 0,
“failed” : 0
},
“hits” : {
“total” : {
“value” : 100,
“relation” : “eq”
},
“max_score” : 5.0,
“hits” : [
{
“_index” : “logstash-syslog-2026.04.04”,
“_id” : “1234567890”,
“_score” : 5.0,
“_source” : {
“message” : “error: something went wrong”,
“@timestamp” : “2026-04-04T14:50:00.000Z”
}
}
]
}
}
- 使用ELK Stack集中管理日志
- 配置合理的日志轮转策略
- 创建有用的索引模式
- 设置日志告警规则
- 定期清理历史日志
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
