Linux_基础篇
欢迎来到Linux的世界,看笔记好好学多敲多打,每个人都是大神!
题目:ELK与EFK-7.17.9的日志管理
版本号 : 1.0,0
作者 : @老王要学习
日期 : 2025.04.25
适用环境: Centos7
文档说明
本文档围绕 CentOS 7 环境下部署 ELK(Elasticsearch+Kibana+Logstash)与 EFK(Elasticsearch+Kibana+Filebeat)日志管理系统展开,详细记录了版本为 7.17.9 的组件安装、配置及优化过程。内容涵盖环境准备、各组件部署步骤、数据收集配置、可视化操作及性能优化方法,并提供了具体命令和配置示例,适用于系统管理员参考使用
环境准备
硬件要求
- 服务器: 2核CPU、2GB内存,20GB硬盘空间
- 网络: 确保服务器具有固定的IP地址,并且防火墙允许FTP端口(默认22端口)的通信
软件要求
- 操作系统:Centos7
- FTP软件:SecureCRT
- 软件包:elasticsearch-7.17.9、kibana-7.17.9、logstash-7.17.9、filebeat-7.17.9
一、部署elasticstack在174.20
1.1下载ELK包
#web01安装如下
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/filebeat-7.17.9-x86_64.rpm
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/logstash-7.17.9-x86_64.rpm
#ELK02安装如下
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/elasticsearch-7.17.9-x86_64.rpm
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/kibana-7.17.9-x86_64.rpmELK02安装elasticsearch
rpm -ivh elasticsearch-7.17.9-x86_64.rpm 查看elasticsearch .yml位置
rpm -qc elasticsearch 1.2编辑elasticsearch .yml文件修改
1.2.1方法一vim进入修改如下:
vim/etc/elasticsearch/elasticsearch.yml
#集群名称自定义
cluster.name: my-elk
#本机主机名
node.name: elk02
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: false
#主机IP
network.host: 192.168.174.20
http.port: 9200
#本机主机名
discovery.seed_hosts: ["elk02"]
cluster.initial_master_nodes: ["elk02"]1.2.2方法二sed替换如下:
#修改如下:
sed -i 's/#cluster.name: my-application/cluster.name: my-elk/' /etc/elasticsearch/elasticsearch.yml
#修改本机主机名
sed -i 's/#node.name: node-1/node.name: elk02/' /etc/elasticsearch/elasticsearch.yml
#修改#bootstrap.memory_lock为false
sed -i 's/#bootstrap.memory_lock: true/bootstrap.memory_lock: false/' /etc/elasticsearch/elasticsearch.yml
#修改#network.host为本机ip174.20
sed -i 's/#network.host: 192.168.0.1/network.host: 192.168.174.20/' /etc/elasticsearch/elasticsearch.yml
#打开#http.port: 9200
sed -i 's/#http.port: 9200/http.port: 9200/' /etc/elasticsearch/elasticsearch.yml
#修改为本机主机名
sed -i 's/#discovery.seed_hosts: \["host1", "host2"\]/discovery.seed_hosts: \["elk02"\]/' /etc/elasticsearch/elasticsearch.yml
sed -i 's/#cluster.initial_master_nodes: \["node-1", "node-2"\]/cluster.initial_master_nodes: \["elk02"\]/' /etc/elasticsearch/elasticsearch.yml1.3重载并重启elasticsearch.service
systemctl daemon-reload
systemctl restart elasticsearch.service
systemctl enable elasticsearch.service二、部署kibana在主机 174.20
2.1rpm安装kibana
rpm -ivh kibana-7.17.9-x86_64.rpm2.2修改kibana.yml文件
2.2.1方法一vim进入修改如下:
vim /etc/kibana/kibana.yml
#启用
server.port: 5601
#修改为本机主机名
server.host: "elk02"
server.name: "elk02"
#修改es地址为本机ip的9200端口
elasticsearch.hosts: ["http://192.168.174.20:9200"]
kibana.index: ".kibana"
#设置中文
i18n.locale: "zh-CN"2.2.2方法二sed替换如下:
sed -i 's/#server.port: 5601/server.port: 5601/' /etc/kibana/kibana.yml
sed -i 's/#server.host: "localhost"/server.host: "elk02"/' /etc/kibana/kibana.yml
sed -i 's/#server.name: "your-hostname"/server.name: "elk02"/' /etc/kibana/kibana.yml
sed -i 's|#\s*elasticsearch\.hosts:\s*\["http://localhost:9200"\]|elasticsearch.hosts: ["http://192.168.174.20:9200"]|' /etc/kibana/kibana.yml
sed -i 's/#kibana.index: ".kibana"/kibana.index: ".kibana"/' /etc/kibana/kibana.yml
sed -i 's|#i18n.locale: "en"|i18n.locale: "zh-CN"|' /etc/kibana/kibana.yml2.3重载并重启
systemctl daemon-reload
systemctl restart kibana.service
systemctl enable kibana.service 三、部署logstash在主机174.10
3.1rpm安装logstash
rpm -ivh logstash-7.17.9-x86_64.rpm 3.2自定义Logstash配置文件
cat>/etc/logstash/conf.d/mymessage.conf<<EOF
input{
file{
path=>["/var/log/messages"]
start_position=>"beginning"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"messages-%{+yyyy.MM.dd}"
}
}
EOF3.3启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/mymessage.conf3.4访问elastic进行配置
http://192.168.174.20:56013.4.1左上角三条斜杠------Stack Management------数据------索引管理------看到messages-2025.04.25添加成功
![[Pasted image 20250425164356.png]]
3.4.2kibana------索引模式------创建索引模式
![[Pasted image 20250425164804.png]]
3.4.3名字(匹配索引)------messages*------时间戳字段------@timestamp------创建索引模式
![[Pasted image 20250425164928.png]]
3.4.4Analytics------Discover------查看柱状图
![[Pasted image 20250425165323.png]]
3.4.5Analytics------Dashboard------创建仪表板------创建可视化
![[Pasted image 20250425165523.png]]
3.4.6------messages*------message.keyword------保存并返回
![[Pasted image 20250425170132.png]]
3.4.7测试查看计数变化
#创建2个用户
useradd user1
useradd user2
#登录用户并退出,查看计数变化
su - user1
exit
su - user2
exit![[Pasted image 20250425171259.png]]
3.5安装NGINX检测变化
3.5.1安装NGINX写入2个网页
dnf -y install nginx
systemctl start nginx
echo "test1" >> /usr/share/nginx/html/test1.html
echo "test2" >> /usr/share/nginx/html/test2.html3.5.2在174.20使用curl访问192.168.174.10查看日志变化
curl 192.168.174.10
cat access.log
输出结果如下:
192.168.174.20 - - [25/Apr/2025:15:29:19 +0800] "GET / HTTP/1.1" 200 7620 "-" "curl/7.76.1" "-"3.5.3创建NGINX数据收集配置文件
cat>/etc/logstash/conf.d/ngx_access.conf<<EOF
input{
file{
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"myngx_access--%{+yyyy.MM.dd}"
}
}
EOF
#启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf3.5.4在174.20安装httpd进行压力测试
dnf -y install httpd-tools
ab -c 10 -n 100 http://192.168.174.10/3.5.5同上步骤进行创建可视化查看测试变化
![[Pasted image 20250425172502.png]]
![[Pasted image 20250425172525.png]]
3.6对NGINX数据收集进行优化
3.6.1修改NGINX配置文件并重启
vim /etc/nginx/nginx.conf
#添加如下:
log_format access_json '{'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"time_local":"$time_local",'
'"request":"$request",'
'"status":"$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"http_referer":"$http_referer",'
'"http_user_agent":"$http_user_agent"'
'"http_x_forwarded_for":"$http_x_forwarded_for",'
'}';
access_log /var/log/nginx/access.log access_json;
#重启nginx
systemctl restart nginx3.6.2优化logstash收集NGINX数据,加json插件
cat>/etc/logstash/conf.d/nginx_access.conf<<EOF
input{
file{
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
filter{
json{
source=>"message"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"mynginx_access--%{+yyyy.MM.dd}"
}
}
EOF3.6.3清空日志并启动 Logstash
#清空日志文件
>/var/log/nginx/access.log
#启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf3.7使用grok格式
3.7.1修改nginx.conf文件
vim /etc/nginx/nginx.conf
#修改如下:
access_log /var/log/nginx/access.log main;
#重启nginx
systemctl restart nginx3.7.2优化logstash收集NGINX数据,加grok插件
cat>/etc/logstash/conf.d/nginx_access.conf<<EOF
input{
file{
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
filter{
grok{
match=>{
"message"=>['%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:timestamp}\] "%{WORD:http_method} %{URIPATH:url_path}(?:%{URIPARAM:url_query})? HTTP/%{NUMBER:http_version}" %{NUMBER:status:int} %{NUMBER:bytes_sent:int} "%{DATA:referrer}" "%{DATA:user_agent}" "%{DATA:x_forwarded_for}"']
}
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"nginx_grok_access_%{+YYYY.MM.dd}"
}
}
EOF3.7.3清空日志并启动 Logstash
#清空日志文件
>/var/log/nginx/access.log
#启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf![[Pasted image 20250427105518.png]]
四、安装filebeat
rpm -ivh filebeat-7.17.9-x86_64.rpm 4.1修改filebeat配置文件
4.1.1vim修改:
vim /etc/filebeat/filebeat.yml
#修改如下:
id: my-nginx-id
enabled: true
output.logstash:
#hosts: ["localhost:5044"]/ #hosts: ["192.168.174.20:5044"]
#output.elasticsearch:
# hosts: ["localhost:9200"]4.1.2sed修改:
sed -i 's/ id: my-filestream-id/ id: my-nginx-id/' /etc/filebeat/filebeat.yml
sed -i 's/ enabled: false/ enabled: true/' /etc/filebeat/filebeat.yml
sed -i 's/\/var\/log\/\*\.log/\/var\/log\/nginx\/access\.log/' /etc/filebeat/filebeat.yml
sed -i 's/#output.logstash:/output.logstash:/' /etc/filebeat/filebeat.yml
sed -i 's/ #hosts: \["localhost:5044"\]/ hosts: \["192.168.174.20:5044"\]/' /etc/filebeat/filebeat.yml
sed -i 's/output.elasticsearch:/#output.elasticsearch:/' /etc/filebeat/filebeat.yml
sed -i 's/ hosts: \["localhost:9200"\]/# hosts: \["localhost:9200"\]/' /etc/filebeat/filebeat.yml
#重启filebeat服务
systemctl restart filebeat.service
systemctl enable filebeat.service 4.2为174.20传输logstash相关配置
scp /root/logstash-7.17.9-x86_64.rpm 192.168.174.20:/root/
#进入174.20rpm安装logstash
rpm -ivh logstash-7.17.9-x86_64.rpm
#启动logstash服务
systemctl start logrotate.service
#拷贝10文件到20
scp /etc/logstash/conf.d/nginx_access.conf 192.168.174.20:/etc/logstash/conf.d/nginx_access.conf
#修改索引名字
sed -i 's/index=>"nginx_grok_access_%{+YYYY\.MM\.dd}"/index=>"nginx_filebeat_grok_access_%{+YYYY\.MM\.dd}"/' /etc/logstash/conf.d/nginx_access.conf4.3启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf