Linux架构篇、第四章_ELK与EFK-7.17.9的日志管理

Linux_基础篇

欢迎来到Linux的世界，看笔记好好学多敲多打，每个人都是大神！

题目：ELK与EFK-7.17.9的日志管理

版本号 : 1.0,0
作者 : @老王要学习
日期 : 2025.04.25
适用环境: Centos7

文档说明

本文档围绕 CentOS 7 环境下部署 ELK（Elasticsearch+Kibana+Logstash）与 EFK（Elasticsearch+Kibana+Filebeat）日志管理系统展开，详细记录了版本为 7.17.9 的组件安装、配置及优化过程。内容涵盖环境准备、各组件部署步骤、数据收集配置、可视化操作及性能优化方法，并提供了具体命令和配置示例，适用于系统管理员参考使用

环境准备

硬件要求

• 服务器： 2核CPU、2GB内存，20GB硬盘空间
• 网络： 确保服务器具有固定的IP地址，并且防火墙允许FTP端口（默认22端口）的通信

软件要求

• 操作系统：Centos7
• FTP软件：SecureCRT
• 软件包：elasticsearch-7.17.9、kibana-7.17.9、logstash-7.17.9、filebeat-7.17.9

---

一、部署elasticstack在174.20

1.1下载ELK包

#web01安装如下
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/filebeat-7.17.9-x86_64.rpm
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/logstash-7.17.9-x86_64.rpm

#ELK02安装如下
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/elasticsearch-7.17.9-x86_64.rpm
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/kibana-7.17.9-x86_64.rpm

ELK02安装elasticsearch

rpm -ivh elasticsearch-7.17.9-x86_64.rpm 

查看elasticsearch .yml位置

rpm -qc elasticsearch 

1.2编辑elasticsearch .yml文件修改

1.2.1方法一vim进入修改如下：

vim/etc/elasticsearch/elasticsearch.yml
#集群名称自定义
cluster.name: my-elk

#本机主机名
node.name: elk02

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

bootstrap.memory_lock: false

#主机IP
network.host: 192.168.174.20 
http.port: 9200

#本机主机名
discovery.seed_hosts: ["elk02"]
cluster.initial_master_nodes: ["elk02"]

1.2.2方法二sed替换如下：

#修改如下：
sed -i 's/#cluster.name: my-application/cluster.name: my-elk/' /etc/elasticsearch/elasticsearch.yml

#修改本机主机名
sed -i 's/#node.name: node-1/node.name: elk02/' /etc/elasticsearch/elasticsearch.yml

#修改#bootstrap.memory_lock为false
sed -i 's/#bootstrap.memory_lock: true/bootstrap.memory_lock: false/' /etc/elasticsearch/elasticsearch.yml

#修改#network.host为本机ip174.20
sed -i 's/#network.host: 192.168.0.1/network.host: 192.168.174.20/' /etc/elasticsearch/elasticsearch.yml

#打开#http.port: 9200
sed -i 's/#http.port: 9200/http.port: 9200/' /etc/elasticsearch/elasticsearch.yml

#修改为本机主机名
sed -i 's/#discovery.seed_hosts: \["host1", "host2"\]/discovery.seed_hosts: \["elk02"\]/' /etc/elasticsearch/elasticsearch.yml

sed -i 's/#cluster.initial_master_nodes: \["node-1", "node-2"\]/cluster.initial_master_nodes: \["elk02"\]/' /etc/elasticsearch/elasticsearch.yml

1.3重载并重启elasticsearch.service

systemctl daemon-reload 
systemctl restart elasticsearch.service 
systemctl enable elasticsearch.service

二、部署kibana在主机 174.20

2.1rpm安装kibana

rpm -ivh kibana-7.17.9-x86_64.rpm

2.2修改kibana.yml文件

2.2.1方法一vim进入修改如下：

vim /etc/kibana/kibana.yml
#启用
server.port: 5601

#修改为本机主机名
server.host: "elk02"
server.name: "elk02" 

#修改es地址为本机ip的9200端口
elasticsearch.hosts: ["http://192.168.174.20:9200"]
kibana.index: ".kibana"

#设置中文
i18n.locale: "zh-CN"

2.2.2方法二sed替换如下：

sed -i 's/#server.port: 5601/server.port: 5601/' /etc/kibana/kibana.yml

sed -i 's/#server.host: "localhost"/server.host: "elk02"/' /etc/kibana/kibana.yml

sed -i 's/#server.name: "your-hostname"/server.name: "elk02"/' /etc/kibana/kibana.yml

sed -i 's|#\s*elasticsearch\.hosts:\s*\["http://localhost:9200"\]|elasticsearch.hosts: ["http://192.168.174.20:9200"]|' /etc/kibana/kibana.yml

sed -i 's/#kibana.index: ".kibana"/kibana.index: ".kibana"/' /etc/kibana/kibana.yml

sed -i 's|#i18n.locale: "en"|i18n.locale: "zh-CN"|' /etc/kibana/kibana.yml

2.3重载并重启

systemctl daemon-reload 
systemctl restart kibana.service 
systemctl enable kibana.service 

三、部署logstash在主机174.10

3.1rpm安装logstash

rpm -ivh logstash-7.17.9-x86_64.rpm 

3.2自定义Logstash配置文件

cat>/etc/logstash/conf.d/mymessage.conf<<EOF
input{
file{
path=>["/var/log/messages"]
start_position=>"beginning"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"messages-%{+yyyy.MM.dd}"
}
}
EOF

3.3启动 Logstash 并使用指定配置文件

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/mymessage.conf

3.4访问elastic进行配置

http://192.168.174.20:5601

3.4.1左上角三条斜杠------Stack Management------数据------索引管理------看到messages-2025.04.25添加成功

!\[Pasted image 20250425164356.png]

3.4.2kibana------索引模式------创建索引模式

!\[Pasted image 20250425164804.png]

3.4.3名字(匹配索引)------messages*------时间戳字段------@timestamp------创建索引模式

!\[Pasted image 20250425164928.png]

3.4.4Analytics------Discover------查看柱状图

!\[Pasted image 20250425165323.png]

3.4.5Analytics------Dashboard------创建仪表板------创建可视化

!\[Pasted image 20250425165523.png]

3.4.6------messages*------message.keyword------保存并返回

!\[Pasted image 20250425170132.png]

3.4.7测试查看计数变化

#创建2个用户
useradd user1
useradd user2

#登录用户并退出，查看计数变化
su - user1
exit

su - user2
exit

!\[Pasted image 20250425171259.png]

3.5安装NGINX检测变化

3.5.1安装NGINX写入2个网页

dnf -y install nginx
systemctl start nginx
echo "test1" >> /usr/share/nginx/html/test1.html
echo "test2" >> /usr/share/nginx/html/test2.html

3.5.2在174.20使用curl访问192.168.174.10查看日志变化

curl 192.168.174.10

cat access.log 

输出结果如下：
192.168.174.20 - - [25/Apr/2025:15:29:19 +0800] "GET / HTTP/1.1" 200 7620 "-" "curl/7.76.1" "-"

3.5.3创建NGINX数据收集配置文件

cat>/etc/logstash/conf.d/ngx_access.conf<<EOF
input{
file{   
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"myngx_access--%{+yyyy.MM.dd}"
}
}
EOF

#启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf

3.5.4在174.20安装httpd进行压力测试

dnf -y install httpd-tools

ab -c 10 -n 100 http://192.168.174.10/

3.5.5同上步骤进行创建可视化查看测试变化

!\[Pasted image 20250425172502.png]

!\[Pasted image 20250425172525.png]

3.6对NGINX数据收集进行优化

3.6.1修改NGINX配置文件并重启

vim /etc/nginx/nginx.conf
#添加如下：
    log_format  access_json  '{'
    '"remote_addr":"$remote_addr",'
	'"remote_user":"$remote_user",'
	'"time_local":"$time_local",'
	'"request":"$request",'
	'"status":"$status",'
	'"body_bytes_sent":"$body_bytes_sent",'
	'"http_referer":"$http_referer",'
	'"http_user_agent":"$http_user_agent"'
	'"http_x_forwarded_for":"$http_x_forwarded_for",'
	'}';
	access_log  /var/log/nginx/access.log  access_json;

#重启nginx 
systemctl restart nginx

3.6.2优化logstash收集NGINX数据，加json插件

cat>/etc/logstash/conf.d/nginx_access.conf<<EOF
input{
file{   
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
filter{
json{
source=>"message"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"mynginx_access--%{+yyyy.MM.dd}"
}
}
EOF

3.6.3清空日志并启动 Logstash

#清空日志文件
>/var/log/nginx/access.log 

#启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf

3.7使用grok格式

3.7.1修改nginx.conf文件

vim /etc/nginx/nginx.conf
#修改如下：
    access_log  /var/log/nginx/access.log  main;

#重启nginx 
systemctl restart nginx

3.7.2优化logstash收集NGINX数据，加grok插件

cat>/etc/logstash/conf.d/nginx_access.conf<<EOF
input{
file{
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
filter{
grok{
match=>{
"message"=>['%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:timestamp}\] "%{WORD:http_method} %{URIPATH:url_path}(?:%{URIPARAM:url_query})? HTTP/%{NUMBER:http_version}" %{NUMBER:status:int} %{NUMBER:bytes_sent:int} "%{DATA:referrer}" "%{DATA:user_agent}" "%{DATA:x_forwarded_for}"']
}
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"nginx_grok_access_%{+YYYY.MM.dd}"
}
}
EOF

3.7.3清空日志并启动 Logstash

#清空日志文件
>/var/log/nginx/access.log 

#启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf

!\[Pasted image 20250427105518.png]

四、安装filebeat

rpm -ivh filebeat-7.17.9-x86_64.rpm 

4.1修改filebeat配置文件

4.1.1vim修改：

vim /etc/filebeat/filebeat.yml 
#修改如下：
id: my-nginx-id

  enabled: true
  
  output.logstash:
  
#hosts: ["localhost:5044"]/  #hosts: ["192.168.174.20:5044"]

#output.elasticsearch:

#  hosts: ["localhost:9200"]

4.1.2sed修改：

sed -i 's/  id: my-filestream-id/  id: my-nginx-id/' /etc/filebeat/filebeat.yml

sed -i 's/  enabled: false/  enabled: true/' /etc/filebeat/filebeat.yml

sed -i 's/\/var\/log\/\*\.log/\/var\/log\/nginx\/access\.log/' /etc/filebeat/filebeat.yml

sed -i 's/#output.logstash:/output.logstash:/' /etc/filebeat/filebeat.yml

sed -i 's/  #hosts: \["localhost:5044"\]/  hosts: \["192.168.174.20:5044"\]/' /etc/filebeat/filebeat.yml

sed -i 's/output.elasticsearch:/#output.elasticsearch:/' /etc/filebeat/filebeat.yml

sed -i 's/  hosts: \["localhost:9200"\]/#  hosts: \["localhost:9200"\]/' /etc/filebeat/filebeat.yml

#重启filebeat服务
systemctl restart filebeat.service 
systemctl enable filebeat.service 

4.2为174.20传输logstash相关配置

scp /root/logstash-7.17.9-x86_64.rpm 192.168.174.20:/root/

#进入174.20rpm安装logstash
rpm -ivh logstash-7.17.9-x86_64.rpm

#启动logstash服务
systemctl start logrotate.service 

#拷贝10文件到20 
scp /etc/logstash/conf.d/nginx_access.conf 192.168.174.20:/etc/logstash/conf.d/nginx_access.conf

#修改索引名字
sed -i 's/index=>"nginx_grok_access_%{+YYYY\.MM\.dd}"/index=>"nginx_filebeat_grok_access_%{+YYYY\.MM\.dd}"/' /etc/logstash/conf.d/nginx_access.conf

4.3启动 Logstash 并使用指定配置文件

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf