内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本文
风哥提示:
档介绍企业级日志分析平台部署综合实战案例。
Part01-ELK Stack部署
1.1 Elasticsearch集群配置
[root@fgedu-es1 ~]# rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
[root@fgedu-es1 ~]# cat > /etc/yum.repos.d/elasticsearch.repo << 'EOF' [elasticsearch] name=Elasticsearch repository for 8.x packages baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF [root@fgedu-es1 ~]# yum install -y elasticsearch # 配置Elasticsearch [root@fgedu-es1 ~]# cat > /etc/elasticsearch/elasticsearch.yml << 'EOF' cluster.name: fgedu-logs node.name: fgedu-es1 path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 192.168.1.10 http.port: 9200 discovery.seed_hosts: ["192.168.1.10", "192.168.1.11", "192.更多视频教程www.fgedu.net.cn168.1.12"] cluster.initial_master_nodes: ["fgedu-es1", "fgedu-es2", "fgedu-es3"] xpack.security.enabled: true xpack.security.enrollment.enabled: false xpack.security.http.ssl.enabled: false xpack.security.transport.ssl.enabled: false EOF # 调整JVM内存 [root@fgedu-es1 ~]# cat > /etc/elasticsearch/jvm.options.d/heap.options << 'EOF' -Xms4g -Xmx4g EOF # 启动Elasticsearch [root@fgedu-es1 ~]# systemctl enable elasticsearch --now # 查看集群状态 [root@fgedu-es1 ~]# curl -u elastic:Elastic@123 http://192.168.1.10:9200/_cluster/health?pretty { "cluster_name" : "fgedu-logs", "status" : "green", "timed_out" : false, "number_of_nodes" : 3, "number_of_data_nodes" : 3, "active_primary_shards" : 10, "active_shards" : 20, "relocating_shards" : 0, "initializ更多学习教程公众号风哥教程itpux_coming_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 }
Part02-Logstash配置
2.1 日志收集管道
[root@fgedu-logstash ~]# yum install -y logstash
# 配置Nginx日志管道
[root@fgedu-logstash ~]# cat > /etc/logstash/conf.d/nginx.conf << 'EOF'
input {
beats {
port => 5044
}
}
filter {
grok {
match => { “message” => “%{COMBINEDAPACHELOG}” }
}
geoip {
source => “clientip”
target => “geoip”
}
useragent {
source => “agent”
target => “useragent”
}
date {
match => [ “timestamp” , “dd/MMM/yyyy:HH:mm:ss Z” ]
}
mutate {
remove_field => [ “message” ]
}
}
output {
elasticsearch {
hosts => [“http://192.168.1.10:9200”, “http://192.168.1.11:9200”]
user => “elastic”
password => “Elastic@123”
index => “fgedu-nginx-%{+YYYY.MM.dd}”
}
}
EOF
# 配置系统日志管道
[root@fgedu-logstash ~]# cat > /etc/logstash/conf.d/syslog.conf << 'EOF'
input {
file {
path => [“/var/log/messages”, “/var/log/secure”]
type => “syslog”
start_position => “beginning”
}
}
filter {
grok {
match => { “message” => “%{SYSLOGBASE} %{GREEDYDATA:syslog_message}” }
}
date {
match => [ “timestamp”, “MMM d HH:mm:ss”, “MMM dd HH:mm:ss” ]
}
}
output {
elasticsearch {
hosts => [“http://192.168.1.10:9200”]
user => “elastic”
password => “Elastic@123”
index => “fgedu-syslog-%{+YYYY.MM.dd}”
}
}
EOF
# 启动Logstash
[root@fgedu-logstash ~]# systemctl enable logstash –now
# 测试配置
[root@fgedu-logstash ~]# /usr/share/logstash/bin/logstash –config.test_and_exit -f /etc/logstash/conf.d/
Using JAVA_HOME defined java: /usr/lib/jvm/java-11-openjdk
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2026-04-04T23:00:00,000][INFO ][logstash.runner ] Starting Logstash {“pipeline.id”=>”main”}
Configuration OK
[2026-04-04T23:00:00,000][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
Part03-Kibana可视化
3.1 Dashboard配置
[root@fgedu-kibana ~]# yum install -y kibana
# 配置Kibana
[root@fgedu-kibana ~]# cat > /etc/kibana/kibana.yml << 'EOF'
server.port: 5601
server.host: "0.0.0.0"
server.name: "fgedu-kibana"
elasticsearch.hosts: ["http://192.168.1.10:9200", "http://192.168.1.11:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "Kibana@123"
i18n.locale: "zh-CN"
xpack.security.enabled: true
EOF
# 启动Kibana
[root@fgedu-kibana ~]# systemctl enable kibana --now
# 创建索引模式
[root@fgedu-kibana ~]# curl -u elastic:Elastic@123 -X POST \
"http://192.168.1.10:9200/.kibana/_doc/index-pattern:fgedu-*" \
-H 'Content-Type: application/json' -d'
{
"type": "index-pattern",
"attributes": {
"title": "fgedu-*",
"timeFieldName": "@timestamp"
}
}'
# 创建可视化面板
[root@fgedu-kibana ~]# cat > /tmp/dashboard.json << 'EOF'
{
"version": "8.11.0",
"objects": [
{
"id": "nginx-dashboard",
"type": "dashboard",
"attributes": {
"title": "Nginx访问日志分析",
"panelsJSON": [
{
"panelIndex": "1",
"type": "visualization",
"id": "request-count",
"title": "请求统计"
},
{
"panelIndex": "2",
"type": "visualization",
"id": "status-codes",
"title": "状态码分布"
},
{
"panelIndex": "3",
"type": "visualization",
"id": "top-urls",
"title": "热门URL"
}
]
}
}
]
}
EOF
Part04-日志告警
4.1 告警规则配置
[root@fgedu-es1 ~]# cat > /etc/elasticsearch/monitoring/alerts.yml << 'EOF' # 错误日志告警 - name: error_log_alert index: fgedu-* type: frequency num_events: 10 timeframe: minutes: 5 filter: - term: level: ERROR alert: - email email: - ops@fgedu.net.cn # 登录失败告警 - name: login_failure_alert index: fgedu-syslog-* type: frequency num_events: 5 timeframe: minutes: 10 filter: - query_string: query: "message: Failed password" alert: - email email: - security@fgedu.net.cn # HTTP 5xx错误告警 - name: http_5xx_alert index: fgedu-nginx-* type: frequency num_events: 50 timeframe: minutes: 5 filter: - range: response: gte: 500 alert: - email email: - ops@fgedu.net.cn EOF # 创建日志分析脚本 [root@fgedu-logstash ~]# cat > /usr/local/bin/log-analysis.sh << 'EOF' #!/bin/bash # log-analysis.sh # from:www.itpux.com.qq11325717学习交流加群风哥QQ1132571744.wx:itpux-com # web: http://www.fgedu.net.cn ES_HOST="192.168.1.10:9200" ES_USER="elastic" ES_PASS="Elastic@123" echo "=== 日志分析报告 ===" echo "分析时间: $(date)" echo "" echo "1. 今日日志总量" curl -s -u $ES_USER:$ES_PASS "http://$ES_HOST/fgedu-*/_count" | jq '.count' echo "" echo "2. 错误日志统计" curl -s -u $ES_USER:$ES_PASS -X GET "http://$ES_HOST/fgedu-*/_search" -H 'Content-Type: application/json' -d' { "size": 0, "query": { "term": {"level": "ERROR"} } }' | jq '.hits.total.value' echo "" echo "3. HTTP状态码分布" curl -s -u $ES_USER:$ES_PASS -X GET "http://$ES_HOST/fgedu-nginx-*/_search" -H 'Content-Type: application/json' -d' { "size": 0, "aggs": { "status_codes": { "terms": {"field": "response.keyword"} } } }' | jq '.aggregations.status_codes.buckets' echo "" echo "4. 访问量Top10 IP" curl -s -u $ES_USER:$ES_PASS -X GET "http://$ES_HOST/fgedu-nginx-*/_search" -H 'Content-Type: application/json' -d' { "size": 0, "aggs": { "top_ips": { "terms": {"field": "clientip.keyword", "size": 10} } } }' | jq '.aggregations.top_ips.buckets' echo "" echo "=== 分析完成 ===" EOF [root@fgedu-logstash ~]# chmod +x /usr/local/bin/log-analysis.sh
- 建立统一的日志收集体系
- 配置日志解析规则
- 创建可视化Dashboard
- 设置关键日志告警
- 定期分析日志趋势
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
