Linux教程FG484-Linux日志分析实战

内容简介：本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容，详细介绍了相关技术的配置和使用方法。

风哥提示：

本文档介绍Linux日志分析实战案例。

Part01-日志系统架构

1.1 ELK Stack部署

# 安装Elasticsearch
[root@fgedu-log ~]# rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
[root@fgedu-log ~]# cat > /etc/yum.repos.d/elasticsearch.repo << 'EOF' [elasticsearch] name=Elasticsearch repository baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF [root@fgedu-log ~]# yum install -y elasticsearch Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installin更多学习教程公众号风哥教程itpux_comg: elasticsearch x86_64 8.12.0-1 elasticsearch 650 M Transaction Summary ================================================================================ Install 1 Package Total download size: 650 M Installed size: 1.2 G Downloading Packages: elasticsearch-8.12.0-1.x86_64.rpm 10 MB/s | 650 MB 01:05 -------------------------------------------------------------------------------- Complete! # 配置Elasticsearch [root@fgedu-log ~]# cat > /etc/elasticsearch/elasticsearch.yml << 'EOF' cluster.name: fgedu-logs node.name: fgedu-log-1 path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 discovery.type: single-node xpack.security.enabled: false EOF # 启动Elasticsearch [root@fgedu-log ~]# systemctl enable elasticsearch --now Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service. # 验证Elasticsearch [root@fgedu-log ~]# curl -s http://localhost:9200 { "name" : "fgedu-log-1", "cluster_name" : "fgedu-logs", "version" : { "number" : "8.12.0" } } # 安装Kibana [root@fgedu-log ~]# yum ifrom PG视频:www.itpux.comnstall -y kibana [root@fgedu-log ~]# cat > /etc/kibana/kibana.yml << 'EOF' server.port: 5601 server.host: "0.0.0.0" elasticsearch.hosts: ["http://localhost:9200"] EOF [root@fgedu-log ~]# systemctl enable kibana --now

Part02-日志收集配置

2.1 Filebeat配置

# 安装Filebeat
[root@fgedu-log ~]# yum install -y filebeat

# 配置Filebeat
[root@fgedu-log ~]# cat > /etc/filebeat/filebeat.yml << 'EOF' filebeat.inputs: - type: log enabled: true paths: - /var/log/messages - /var/log/secure fields: type: system fields_under_root: true - type: log enabled: true paths: - /var/log/nginx/access.log fields: type: nginx_access fields_under_root: true multiline.pattern: '^\[' multiline.negate: true multiline.match: after - type: log enabled: true paths: - /var/log/mysql/error.log fields: type: mysql_error fields_under_root: true output.elasticsearch: hosts: ["localhost:9200"] index: "fgedu-logs-%{+yyyy.MM.dd}" setup.template.name: "fgedu-logs" setup.template.pattern: "fgedu-logs-*" EOF # 启动Filebeat [root@fgedu-log ~]# systemctl enable filebeat --now # 验证日志索引 [root@fgedu-log ~]# curl -s http://localhost:9200/_cat/indices?v health status index docs.count store.size green open fgedu-logs-2026.04.04 5000 2.5mb

Part03-日志分析实战

3.1 日志查询分析

# 查询系统错误日志
[root@fgedu-log ~]# curl -X GET “localhost:9200/fgedu-logs-*/_search” -H ‘Content-Type: application/json’ -d ‘{
“query”: {
“bool”: {
“must”: [
{“match”: {“type”: “system”}},
{“match”: {“message”: “error”}}
]
}
},
“size”: 10,
“sort”: [{“@timestamp”: “desc”}]
}’ | jq .

# 统计Nginx访问量Top10 IP
[root@fgedu-log ~]# curl -X GET “localhost:9200/fgedu-logs-*/_search” -H ‘Content-Type: application/json’ -d ‘{
“size”: 0,
“query”: {
“match”: {“type”: “nginx_access”}
},
“aggs”: {
“top_ips”: {
“terms”: {
“field”: “client_ip.keyword”,
“size”: 10
}
}
}
}’ | jq .aggregations.更多视频教程www.fgedu.net.cntop_ips

# 创建日志分析脚本
[root@fgedu-log ~]# cat > /usr/local/bin/log-analyzer.sh << 'EOF' #!/bin/bash # log-analyzer.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn INDEX="fgedu-logs-$(date +%Y.%m.%d)" echo "=== 日志分析报告 ===" echo "分析日期: $(date)" echo "" echo "1. 今日日志总量" curl -s "localhost:9200/${INDEX}/_count" | jq .count echo "" echo "2. 按类型统计" curl -s -X GET "localhost:9200/${INDEX}/_search" -H 'Content-Type: application/json' -d '{ "size": 0, "aggs": { "by_type": { "terms": {"field": "type.keyword"} } } }' | jq '.aggregations.by_type.buckets[] | "\(.key): \(.doc_count)"' echo "" echo "3. 错误日志统计" curl -s -X GET "localhost:9200/${INDEX}/_count" -H 'Content-Type: application/json' -d '{ "query": { "match": {"message": "error"} } }' | jq .count echo "" echo "4. 最近10条错误日志" curl -s -X GET "localhost:9200/${INDEX}/_search" -H 'Content-Type: application/json' -d '{ "query": { "match": {"message": "error"} }, "size": 10, "_source": ["@timestamp", "message"] }' | jq '.hits.hits[]._source' echo "" echo "=== 分析完成 ===" EOF [root@fgedu-log ~]# chmod +x /usr/local/bin/log-analyzer.sh # 执行日志分析 [root@fgedu-log ~]# /usr/local/bin/log-analyzer.sh === 日志分析报告 === 分析日期: Sat Apr 4 23:00:00 CST 2026 1. 今日日志总量 5000 2. 按类型统计 "system: 3000" "nginx_access: 1500" "mysql_error: 500" 3. 错误日志统计 120 4. 最近10条错误日志 { "@timestamp": "2026-04-04T23:00:00.000Z", "message": "Connection refused to database" }

Part04-日志告警配置

4.1 配置日志告警

# 创建日志告警脚本
[root@fgedu-log ~]# cat > /usr/local/bin/log-alert.sh << 'EOF' #!/bin/bash # log-alert.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn ALERT_THRESHOLD=100 ALERT_EMAIL="admin@fgedu.net.cn" INDEX="fgedu-logs-$(date +%Y.%m.%d)" ERROR_COUNT=$(curl -s -X GET "localhost:9200/${INDEX}/_count" -H 'Content-Type: application/json' -d '{ "query": { "match": {"message": "error"} } }' | jq .count) if [ "$ERROR_COUNT" -gt "$ALERT_THRESHOLD" ]; then echo "错误日志数量: $ERROR_COUNT, 超过阈值: $ALERT_THRESHOLD" ERROR_LOGS=$(curl -s -X GET "localhost:9200/${INDEX}/_search" -H 'Content-Type: application/json' -d '{ "query": { "match": {"message": "error"} }, "size": 20, "_source": ["@timestamp", "host.name", "message"] }' | jq -r '.hits.hits[]._source | "\(.["@timestamp"]) [\(.["host.name"])] \(.message)"') mail -s "FGEDU日志告警: 错误日志数量异常" $ALERT_EMAIL << MAIL_EOF 检测到错误日志数量异常错误日志数量: $ERROR_COUNT 告警阈值: $ALERT_THRESHOLD 最近错误日志: $ERROR_LOGS 请及时处理！ MAIL_EOF echo "告警邮件已发送" fi EOF [root@fgedu-log ~]# chmod +x /usr/local/bin/log-alert.sh # 配置定时告警检查 [root@fgedu-log ~]# cat >> /etc/crontab << 'EOF' */5 * * * * root /usr/local/bin/log-alert.sh >> /var/log/log-alert.log 2>&1
EOF

# 创建日志清理脚本
[root@fgedu-log ~]# cat > /usr/local/bin/log-cleanup.sh << 'EOF' #!/bin/bash # log-cleanup.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn RETENTION_DAYS=30 echo "清理${RETENTION_DAYS}天前的日志索引..." for index in $(curl -s "localhost:9200/_cat/indices?fgedu-logs-*&h=index" | grep fgedu-logs); do index_date=$(echo $index | sed 's/fgedu-logs-//') index_timestamp=$(date -d "$index_date" +%s 2>/dev/null)
threshold_timestamp=$(date -d “-${RETENTION_DAYS} days” +%s)

if [ -n “$index_timestamp” ] && [ “$index_timestamp” -lt “$threshold_timestamp” ]; then
echo “删除索引: $index”
curl -X DELETE “localhost:9200/$index”
fi
done

echo “日志清理完成”
EOF

[root@fgedu-log ~]# chmod +x /usr/local/bin/log-cleanup.sh

风哥针对日志分析建议：

建立集中日志收集系统
配置合理的日志保留策略
实施日志告警机制
定期进行日志分析
保护日志数据安全

本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html