详细的Elastic Stack (ELK) + Redis 安装部署指南。这是一个分步、实战的部署方案。
📋 系统准备
环境要求
-
操作系统: Ubuntu 20.04/22.04 或 CentOS 7/8(本指南以 Ubuntu 22.04 为例)
-
内存: 至少 8GB RAM(生产环境建议 16GB+)
-
磁盘: 至少 20GB 可用空间
-
Java: JDK 11 或 17(Elasticsearch 需要)
📦 部署架构拓扑
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌──────────┐ ┌─────────┐
│ Filebeat│───▶│ Redis │───▶│ Logstash│───▶│Elastic-│───▶ │ Kibana │
│ (Client)│ │ (Buffer)│ │ (Process)│ │ search │ │ (UI) │
└─────────┘ └─────────┘ └─────────┘ └──────────┘ └─────────┘
源服务器 缓冲队列 数据处理 存储搜索 可视化🔧 第一步:安装 Java
# Ubuntu/Debian
sudo apt update
sudo apt install openjdk-11-jdk -y
# CentOS/RHEL
sudo yum install java-11-openjdk-devel -y
# 验证安装
java -version📊 第二步:安装和配置 Redis
# 1. 安装 Redis
sudo apt install redis-server -y # Ubuntu
# 或
sudo yum install epel-release -y && sudo yum install redis -y # CentOS
# 2. 配置 Redis
sudo nano /etc/redis/redis.conf
# 修改以下配置:
# 绑定所有网络接口(或指定IP)
bind 0.0.0.0
# 设置密码(重要!)
requirepass YourSecurePassword123
# 最大内存(根据实际情况调整)
maxmemory 2gb
maxmemory-policy allkeys-lru
# 启用持久化
appendonly yes
# 日志级别
loglevel notice
# 3. 重启 Redis
sudo systemctl restart redis
sudo systemctl enable redis
# 4. 测试连接
redis-cli
AUTH YourSecurePassword123
PING # 应返回 PONG🗄️ 第三步:安装和配置 Elasticsearch
# 1. 导入 Elasticsearch GPG 密钥
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
# 2. 添加 Elasticsearch 仓库
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update
# 3. 安装 Elasticsearch
sudo apt install elasticsearch -y
# 4. 配置 Elasticsearch
sudo nano /etc/elasticsearch/elasticsearch.ymlelasticsearch.yml 配置:
yaml
# 集群名称
cluster.name: elk-cluster
# 节点名称
node.name: node-1
# 数据存储路径
path.data: /var/lib/elasticsearch
# 日志路径
path.logs: /var/log/elasticsearch
# 绑定地址(设置为服务器IP或0.0.0.0)
network.host: 0.0.0.0
# HTTP端口
http.port: 9200
# 集群初始主节点
cluster.initial_master_nodes: ["node-1"]
# 开启安全功能(可选但推荐)
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# 允许跨域
http.cors.enabled: true
http.cors.allow-origin: "*"# 5. 配置 JVM 堆大小(根据内存调整)
sudo nano /etc/elasticsearch/jvm.options
# 修改以下行(建议为总内存的50%,不超过32GB):
-Xms2g
-Xmx2g
# 6. 启动 Elasticsearch
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
# 7. 验证安装
curl -X GET "localhost:9200/" -u elastic
# 首次运行需要重置 elastic 用户密码
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i🔄 第四步:安装和配置 Logstash
# 1. 安装 Logstash
sudo apt install logstash -y
# 2. 创建 Logstash 配置文件
sudo mkdir -p /etc/logstash/conf.d
sudo nano /etc/logstash/conf.d/redis-to-es.confredis-to-es.conf 配置:
ruby
input {
redis {
host => "localhost" # Redis 服务器地址
port => 6379 # Redis 端口
password => "YourSecurePassword123" # Redis 密码
db => 0 # Redis 数据库索引
key => "filebeat-logs" # Redis List 的 key
data_type => "list" # 使用 List 类型
threads => 4 # 处理线程数
}
}
filter {
# 如果是 JSON 格式的日志,直接解析
if [message] =~ /^{.*}$/ {
json {
source => "message"
remove_field => ["message"]
}
}
# 添加时间戳
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
# 添加主机信息
mutate {
add_field => {
"host_ip" => "%{host}"
"agent" => "logstash"
}
}
# 移除不需要的字段
mutate {
remove_field => ["@version", "tags"]
}
}
output {
# 输出到 Elasticsearch
elasticsearch {
hosts => ["localhost:9200"]
index => "logs-%{+YYYY.MM.dd}" # 按日期分索引
user => "elastic"
password => "YourElasticPassword" # Elasticsearch 密码
ssl => false
ssl_certificate_verification => false
}
# 同时输出到控制台(调试用,生产环境可删除)
stdout {
codec => rubydebug
}
}# 3. 测试配置文件
sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash -f /etc/logstash/conf.d/redis-to-es.conf --config.test_and_exit
# 4. 启动 Logstash
sudo systemctl enable logstash
sudo systemctl start logstash
# 5. 查看日志
sudo tail -f /var/log/logstash/logstash-plain.log📁 第五步:安装和配置 Filebeat
在应用服务器上安装:
# 1. 安装 Filebeat
sudo apt install filebeat -y
# 2. 配置 Filebeat
sudo nano /etc/filebeat/filebeat.ymlfilebeat.yml 配置:
yaml
# Filebeat 配置
filebeat.inputs:
- type: filestream
id: syslog
enabled: true
paths:
- /var/log/*.log
- /var/log/syslog
- /var/log/messages
- /var/log/nginx/*.log # 如果有 Nginx
- /var/log/apache2/*.log # 如果有 Apache
# 排除行
exclude_lines: ['^DEBUG']
# 多行处理(例如 Java 堆栈跟踪)
multiline.pattern: '^\s'
multiline.negate: false
multiline.match: after
# ============== 输出到 Redis ==============
output.redis:
enabled: true
hosts: ["your-redis-server-ip:6379"] # Redis 服务器地址
password: "YourSecurePassword123" # Redis 密码
key: "filebeat-logs" # 与 Logstash 配置的 key 对应
db: 0
timeout: 5
datatype: list # 使用 list 类型
# ============== 进程配置 ==============
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
# ============== 日志记录 ==============
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7# 3. 测试配置文件
sudo filebeat test config
# 4. 启动 Filebeat
sudo systemctl enable filebeat
sudo systemctl start filebeat
# 5. 检查状态
sudo systemctl status filebeat🌈 第六步:安装和配置 Kibana
# 1. 安装 Kibana
sudo apt install kibana -y
# 2. 配置 Kibana
sudo nano /etc/kibana/kibana.ymlkibana.yml 配置:
yaml
# Kibana 服务器端口
server.port: 5601
# 绑定地址
server.host: "0.0.0.0"
# Elasticsearch 连接
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "YourElasticPassword"
# 语言设置
i18n.locale: "zh-CN" # 中文界面
# 安全设置(可选)
xpack.security.enabled: true
xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters"# 3. 启动 Kibana
sudo systemctl enable kibana
sudo systemctl start kibana
# 4. 访问 Kibana
# 打开浏览器访问:http://your-server-ip:5601🧪 第七步:验证完整链路
测试数据流:
# 1. 生成测试日志
echo "$(date): Test log message from ELK deployment" | sudo tee -a /var/log/syslog
# 2. 检查 Redis 队列
redis-cli -a YourSecurePassword123
> LLEN filebeat-logs # 查看队列长度
> LRANGE filebeat-logs 0 5 # 查看前6条消息
# 3. 检查 Elasticsearch 索引
curl -X GET "localhost:9200/_cat/indices?v" -u elastic:YourElasticPassword
# 应该看到 logs-YYYY.MM.dd 索引
# 4. 检查 Logstash 日志
sudo tail -f /var/log/logstash/logstash-plain.log
# 5. 检查 Filebeat 状态
sudo filebeat status🛠️ 第八步:优化和安全加固
1. 系统优化
# 调整文件描述符限制
echo "* soft nofile 65536" | sudo tee -a /etc/security/limits.conf
echo "* hard nofile 65536" | sudo tee -a /etc/security/limits.conf
# 调整虚拟内存(Elasticsearch 需要)
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
# 调整线程数限制
echo "* soft nproc 4096" | sudo tee -a /etc/security/limits.conf
echo "* hard nproc 4096" | sudo tee -a /etc/security/limits.conf2. 防火墙配置
# 开放必要的端口
sudo ufw allow 22/tcp # SSH
sudo ufw allow 5601/tcp # Kibana
sudo ufw allow 9200/tcp # Elasticsearch HTTP
sudo ufw allow 9300/tcp # Elasticsearch 集群通信
sudo ufw allow 6379/tcp # Redis
sudo ufw allow 5044/tcp # Filebeat(如果直连Logstash)
sudo ufw enable3. 创建 Kibana 索引模式
-
访问
http://your-server-ip:5601 -
使用 elastic 用户登录
-
进入 Stack Management > Index Patterns
-
创建索引模式:
logs-* -
时间字段选择:
@timestamp
🔍 故障排查
# 1. 检查服务状态
sudo systemctl status elasticsearch logstash kibana redis filebeat
# 2. 查看服务日志
sudo journalctl -u elasticsearch -f
sudo tail -f /var/log/logstash/logstash-plain.log
sudo tail -f /var/log/kibana/kibana.log
# 3. 测试连接
# 测试 Elasticsearch
curl -X GET "http://localhost:9200/_cluster/health?pretty" -u elastic
# 测试 Redis
redis-cli -a YourSecurePassword123 PING
# 4. 查看文件描述符
sudo lsof -u elasticsearch | wc -l📊 监控和维护脚本
创建监控脚本 /opt/elk-monitor.sh:
#!/bin/bash
echo "=== ELK Stack 健康检查 ==="
echo "时间: $(date)"
echo ""
echo "1. Elasticsearch 状态:"
curl -s "http://localhost:9200/_cluster/health?pretty" -u elastic:YourElasticPassword
echo ""
echo "2. Redis 队列长度:"
redis-cli -a YourSecurePassword123 LLEN filebeat-logs
echo ""
echo "3. 服务状态:"
for service in elasticsearch logstash kibana redis filebeat; do
status=$(systemctl is-active $service)
echo " $service: $status"
done
echo "4. 磁盘使用:"
df -h /var/lib/elasticsearch
echo "5. 内存使用:"
free -hchmod +x /opt/elk-monitor.sh
# 添加到定时任务
echo "*/5 * * * * root /opt/elk-monitor.sh >> /var/log/elk-monitor.log" | sudo tee -a /etc/crontab🚀 快速部署脚本(单节点)
创建一键安装脚本 install-elk-redis.sh:
#!/bin/bash
# ELK + Redis 单节点快速部署脚本
set -e
ELK_VERSION="8.11.0"
REDIS_PASSWORD="ChangeMe123"
ELASTIC_PASSWORD="ElasticPass123"
echo "开始部署 ELK Stack + Redis..."
# 安装依赖
apt update
apt install -y wget curl gnupg2 apt-transport-https openjdk-11-jdk
# 安装 Redis
apt install -y redis-server
sed -i "s/# requirepass .*/requirepass $REDIS_PASSWORD/" /etc/redis/redis.conf
systemctl restart redis
# 安装 Elasticsearch
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" > /etc/apt/sources.list.d/elastic-8.x.list
apt update
apt install -y elasticsearch
# 简化配置
cat > /etc/elasticsearch/elasticsearch.yml << EOF
cluster.name: elk-single-node
node.name: single-node
network.host: 0.0.0.0
cluster.initial_master_nodes: ["single-node"]
xpack.security.enabled: true
EOF
systemctl start elasticsearch
sleep 30
echo "y" | /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto -b
# 安装 Logstash
apt install -y logstash
# 安装 Kibana
apt install -y kibana
# 安装 Filebeat
apt install -y filebeat
echo "部署完成!"
echo "访问 Kibana: http://$(hostname -I | awk '{print $1}'):5601"💡 生产环境建议
-
分离部署:将组件部署在不同服务器上,特别是 Redis 和 Elasticsearch
-
集群化:Elasticsearch 至少3个节点,Redis 主从复制
-
监控:使用 Elastic Stack 自己的监控功能或 Prometheus
-
备份:定期备份 Elasticsearch 快照和 Redis RDB/AOF
-
升级路径:先升级 Filebeat,再 Kibana,最后 Elasticsearch
这个部署方案涵盖了从单节点测试环境 到生产环境的基础配置。根据您的具体需求(日志量、性能要求、安全等级),可以进一步调整配置参数。