Linux教程FG375-日志收集系统部署

内容简介：本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容，详细介绍了相关技术的配置和使用方法。

风哥提示：

本文档介绍日志收集系统的部署和配置方法。

Part01-ELK Stack部署

1.1 安装Elasticsearch

# 导入GPG密钥
[root@elk ~]# rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch

# 配置YUM源
[root@elk ~]# cat > /etc/yum.repos.d/elasticsearch.repo << 'EOF' [elasticsearch] name=Elasticsearch repository for 8.x packages baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF # 安装Elasticsearch [root@elk ~]# dnf install -y elasticsearch # 配置Elasticsearch [root@elk ~]# cat > /etc/elasticsearch/elasticsearch.yml << 'EOF' cluster.name: elk-cluster node.name: node-1 path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 discovery.seed_hosts: ["192.168.1.10"] cluster.initial_master_nodes: ["node-1"] xpack.security.enabled: false xpack.学习交流加群风哥微信: itpux-comsecurity.enrollment.enabled: false xpack.security.http.ssl.enabled: false xpack.security.transport.ssl.enabled: false EOF # 调整内存 [root@elk ~]# cat > /etc/elasticsearch/jvm.options.d/memory.options << 'EOF' -Xms2g -Xmx2g EOF # 启动Elasticsearch [root@elk ~]# systemctl enable --now elasticsearch Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service. # 测试连接 [root@elk ~]# curl http://localhost:9200 { "name" : "node-1", "cluster_name" : "elk-cluster", "cluster_uuid" : "12345678-90ab-cdef-1234-567890abcdef", "version" : { "number" : "8.6.2", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "1234567890abcdef", "build_date" : "2023-02-22T00:00:00.000000000Z", "build_snapshot" : false, "lucene_version" : "9.4.2", "minimum_wire_compatibility_version" : "7.17.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "You Know, for Search" }

1.2 安装Logstash和Kibana

# 安装Logstash
[root@elk ~]# dnf install -y logstash

# 配置Logstash
[root@elk ~]# cat > /etc/logstash/conf.d/syslog.conf << 'EOF' input { file { path => “/var/log/messages”
type => “syslog”
start_position => “beginning”
}
beats {
port => 5044
}
}

filter {
if [type] == “syslog” {
grok {
match => { “message” => “%{SYSLOGBASE2} %{GREEDYDATA:syslog_message}” }
}
date {
match => [ “timestamp”, “MMM d HH:mm:ss”, “MMM dd HH:mm:ss” ]
}
}
}

output {
elasticsearch {
hosts => [“localhost:9200”]
index => “syslog-%{+YYYY.MM.dd}”
}
stdout { codec => rubydebug }
}
EOF

# 启动Logstash
[root@elk ~]# systemctl enable –now logstash

# 安装Kibana
[root@elk ~]# dnf install -y kibana

# 配置Kibana
[root@elk ~]# cat > /etc/kibana/kibana学习交流加群风哥QQ113257174.yml << 'EOF' server.port: 5601 server.host: "0.0.0.0" elasticsearch.hosts: ["http://localhost:9200"] i18n.locale: "zh-CN" EOF # 启动Kibana [root@elk ~]# systemctl enable --now kibana # 查看服务状态 [root@elk ~]# systemctl status elasticsearch logstash kibana ● elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; preset: disabled) Active: active (running) since Fri 2026-04-04 22:50:00 CST; 5min ago ● logstash.service - logstash Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: disabled) Active: active (running) since Fri 2026-04-04 22:50:00 CST; 5min ago ● kibana.service - Kibana Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; preset: disabled) Active: active (running) since Fri 2026-04-04 22:50:00 CST; 5min ago

Part02-Filebeat配置

2.1 安装Filebeat

# 安装Filebeat
[root@web-server ~]# dnf install -y filebeat

# 配置Filebeat
[root@web-server ~]# cat > /etc/filebeat/filebeat.yml << 'EOF' filebeat.inputs: - type: log enabled: true paths: - /var/log/nginx/access.log fields: type: nginx-access fields_under_root: true - type: log enabled: true paths: - /var/log/nginx/error.log fields: type: nginx-error fields_under_root: true filebeat.config.更多视频教程www.fgedu.from PG视频:www.itpux.comnet.cnmodules: path: ${path.config}/modules.d/*.yml output.logstash: hosts: ["192.168.1更多学习教程公众号风哥教程itpux_com.10:5044"] processors: - add_host_metadata: when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ EOF # 启用Nginx模块 [root@web-server ~]# filebeat modules enable nginx Enabled nginx # 启动Filebeat [root@web-server ~]# systemctl enable --now filebeat Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /usr/lib/systemd/system/filebeat.service. # 测试配置 [root@web-server ~]# filebeat test config Config OK [root@web-server ~]# filebeat test output logstash: 192.168.1.10:5044... connection... parse host... OK dns lookup... OK addresses: 192.168.1.10 dial up... OK TLS... WARN secure connection disabled talk to server... OK # 查看索引 [root@elk ~]# curl http://localhost:9200/_cat/indices?v health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open .kibana_1 1234567890abcdef12345 1 0 1 0 4kb 4kb green open syslog-2026.04.04 2345678901abcdef23456 1 0 100 0 100kb 100kb

风哥针对日志系统建议：

配置日志轮转避免磁盘满
使用索引生命周期管理
配置合理的保留策略
监控集群健康状态
定期备份重要索引

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html