Linux架构篇、第四章_ELK与EFK-7.17.9的日志管理

Linux_基础篇

欢迎来到Linux的世界，看笔记好好学多敲多打，每个人都是大神！

题目：ELK与EFK-7.17.9的日志管理

版本号: 1.0,0
作者: @老王要学习
日期: 2025.04.25
适用环境: Centos7

文档说明

本文档围绕 CentOS 7 环境下部署 ELK（Elasticsearch+Kibana+Logstash）与 EFK（Elasticsearch+Kibana+Filebeat）日志管理系统展开，详细记录了版本为 7.17.9 的组件安装、配置及优化过程。内容涵盖环境准备、各组件部署步骤、数据收集配置、可视化操作及性能优化方法，并提供了具体命令和配置示例，适用于系统管理员参考使用

环境准备

硬件要求

• 服务器： 2核CPU、2GB内存，20GB硬盘空间
• 网络： 确保服务器具有固定的IP地址，并且防火墙允许FTP端口（默认22端口）的通信

软件要求

• 操作系统：Centos7
• FTP软件：SecureCRT
• 软件包：elasticsearch-7.17.9、kibana-7.17.9、logstash-7.17.9、filebeat-7.17.9

---

一、部署elasticstack在174.20

1.1下载ELK包

#web01安装如下
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/filebeat-7.17.9-x86_64.rpm
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/logstash-7.17.9-x86_64.rpm#ELK02安装如下
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/elasticsearch-7.17.9-x86_64.rpm
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.17.9/kibana-7.17.9-x86_64.rpm

ELK02安装elasticsearch

rpm -ivh elasticsearch-7.17.9-x86_64.rpm 

查看elasticsearch .yml位置

rpm -qc elasticsearch 

1.2编辑elasticsearch .yml文件修改

1.2.1方法一vim进入修改如下：

vim/etc/elasticsearch/elasticsearch.yml
#集群名称自定义
cluster.name: my-elk#本机主机名
node.name: elk02path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearchbootstrap.memory_lock: false#主机IP
network.host: 192.168.174.20 
http.port: 9200#本机主机名
discovery.seed_hosts: ["elk02"]
cluster.initial_master_nodes: ["elk02"]

1.2.2方法二sed替换如下：

#修改如下：
sed -i 's/#cluster.name: my-application/cluster.name: my-elk/' /etc/elasticsearch/elasticsearch.yml#修改本机主机名
sed -i 's/#node.name: node-1/node.name: elk02/' /etc/elasticsearch/elasticsearch.yml#修改#bootstrap.memory_lock为false
sed -i 's/#bootstrap.memory_lock: true/bootstrap.memory_lock: false/' /etc/elasticsearch/elasticsearch.yml#修改#network.host为本机ip174.20
sed -i 's/#network.host: 192.168.0.1/network.host: 192.168.174.20/' /etc/elasticsearch/elasticsearch.yml#打开#http.port: 9200
sed -i 's/#http.port: 9200/http.port: 9200/' /etc/elasticsearch/elasticsearch.yml#修改为本机主机名
sed -i 's/#discovery.seed_hosts: \["host1", "host2"\]/discovery.seed_hosts: \["elk02"\]/' /etc/elasticsearch/elasticsearch.ymlsed -i 's/#cluster.initial_master_nodes: \["node-1", "node-2"\]/cluster.initial_master_nodes: \["elk02"\]/' /etc/elasticsearch/elasticsearch.yml

1.3重载并重启elasticsearch.service

systemctl daemon-reload 
systemctl restart elasticsearch.service 
systemctl enable elasticsearch.service

二、部署kibana在主机 174.20

2.1rpm安装kibana

rpm -ivh kibana-7.17.9-x86_64.rpm

2.2修改kibana.yml文件

2.2.1方法一vim进入修改如下：

vim /etc/kibana/kibana.yml
#启用
server.port: 5601#修改为本机主机名
server.host: "elk02"
server.name: "elk02" #修改es地址为本机ip的9200端口
elasticsearch.hosts: ["http://192.168.174.20:9200"]
kibana.index: ".kibana"#设置中文
i18n.locale: "zh-CN"

2.2.2方法二sed替换如下：

sed -i 's/#server.port: 5601/server.port: 5601/' /etc/kibana/kibana.ymlsed -i 's/#server.host: "localhost"/server.host: "elk02"/' /etc/kibana/kibana.ymlsed -i 's/#server.name: "your-hostname"/server.name: "elk02"/' /etc/kibana/kibana.ymlsed -i 's|#\s*elasticsearch\.hosts:\s*\["http://localhost:9200"\]|elasticsearch.hosts: ["http://192.168.174.20:9200"]|' /etc/kibana/kibana.ymlsed -i 's/#kibana.index: ".kibana"/kibana.index: ".kibana"/' /etc/kibana/kibana.ymlsed -i 's|#i18n.locale: "en"|i18n.locale: "zh-CN"|' /etc/kibana/kibana.yml

2.3重载并重启

systemctl daemon-reload 
systemctl restart kibana.service 
systemctl enable kibana.service 

三、部署logstash在主机174.10

3.1rpm安装logstash

rpm -ivh logstash-7.17.9-x86_64.rpm 

3.2自定义Logstash配置文件

cat>/etc/logstash/conf.d/mymessage.conf<<EOF
input{
file{
path=>["/var/log/messages"]
start_position=>"beginning"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"messages-%{+yyyy.MM.dd}"
}
}
EOF

3.3启动 Logstash 并使用指定配置文件

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/mymessage.conf

3.4访问elastic进行配置

http://192.168.174.20:5601

3.4.1左上角三条斜杠——Stack Management——数据——索引管理——看到messages-2025.04.25添加成功

![[Pasted image 20250425164356.png]]

3.4.2kibana——索引模式——创建索引模式

![[Pasted image 20250425164804.png]]

3.4.3名字(匹配索引)——messages*——时间戳字段——@timestamp——创建索引模式

![[Pasted image 20250425164928.png]]

3.4.4Analytics——Discover——查看柱状图

![[Pasted image 20250425165323.png]]

3.4.5Analytics——Dashboard——创建仪表板——创建可视化

![[Pasted image 20250425165523.png]]

3.4.6——messages*——message.keyword——保存并返回

![[Pasted image 20250425170132.png]]

3.4.7测试查看计数变化

#创建2个用户
useradd user1
useradd user2#登录用户并退出，查看计数变化
su - user1
exitsu - user2
exit

![[Pasted image 20250425171259.png]]

3.5安装NGINX检测变化

3.5.1安装NGINX写入2个网页

dnf -y install nginx
systemctl start nginx
echo "test1" >> /usr/share/nginx/html/test1.html
echo "test2" >> /usr/share/nginx/html/test2.html

3.5.2在174.20使用curl访问192.168.174.10查看日志变化

curl 192.168.174.10cat access.log 输出结果如下：
192.168.174.20 - - [25/Apr/2025:15:29:19 +0800] "GET / HTTP/1.1" 200 7620 "-" "curl/7.76.1" "-"

3.5.3创建NGINX数据收集配置文件

cat>/etc/logstash/conf.d/ngx_access.conf<<EOF
input{
file{   
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"myngx_access--%{+yyyy.MM.dd}"
}
}
EOF#启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf

3.5.4在174.20安装httpd进行压力测试

dnf -y install httpd-toolsab -c 10 -n 100 http://192.168.174.10/

3.5.5同上步骤进行创建可视化查看测试变化

![[Pasted image 20250425172502.png]]
![[Pasted image 20250425172525.png]]

3.6对NGINX数据收集进行优化

3.6.1修改NGINX配置文件并重启

vim /etc/nginx/nginx.conf
#添加如下：log_format  access_json  '{''"remote_addr":"$remote_addr",''"remote_user":"$remote_user",''"time_local":"$time_local",''"request":"$request",''"status":"$status",''"body_bytes_sent":"$body_bytes_sent",''"http_referer":"$http_referer",''"http_user_agent":"$http_user_agent"''"http_x_forwarded_for":"$http_x_forwarded_for",''}';access_log  /var/log/nginx/access.log  access_json;#重启nginx 
systemctl restart nginx

3.6.2优化logstash收集NGINX数据，加json插件

cat>/etc/logstash/conf.d/nginx_access.conf<<EOF
input{
file{   
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
filter{
json{
source=>"message"
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"mynginx_access--%{+yyyy.MM.dd}"
}
}
EOF

3.6.3清空日志并启动 Logstash

#清空日志文件
>/var/log/nginx/access.log #启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf

3.7使用grok格式

3.7.1修改nginx.conf文件

vim /etc/nginx/nginx.conf
#修改如下：access_log  /var/log/nginx/access.log  main;#重启nginx 
systemctl restart nginx

3.7.2优化logstash收集NGINX数据，加grok插件

cat>/etc/logstash/conf.d/nginx_access.conf<<EOF
input{
file{
path=>["/var/log/nginx/access.log"]
start_position=>"beginning"
}
}
filter{
grok{
match=>{
"message"=>['%{IPORHOST:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:timestamp}\] "%{WORD:http_method} %{URIPATH:url_path}(?:%{URIPARAM:url_query})? HTTP/%{NUMBER:http_version}" %{NUMBER:status:int} %{NUMBER:bytes_sent:int} "%{DATA:referrer}" "%{DATA:user_agent}" "%{DATA:x_forwarded_for}"']
}
}
}
output{
elasticsearch{
hosts=>"http://192.168.174.20:9200"
index=>"nginx_grok_access_%{+YYYY.MM.dd}"
}
}
EOF

3.7.3清空日志并启动 Logstash

#清空日志文件
>/var/log/nginx/access.log #启动 Logstash 并使用指定配置文件
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf

![[Pasted image 20250427105518.png]]

四、安装filebeat

rpm -ivh filebeat-7.17.9-x86_64.rpm 

4.1修改filebeat配置文件

4.1.1vim修改：

vim /etc/filebeat/filebeat.yml 
#修改如下：
id: my-nginx-idenabled: trueoutput.logstash:#hosts: ["localhost:5044"]/  #hosts: ["192.168.174.20:5044"]#output.elasticsearch:#  hosts: ["localhost:9200"]

4.1.2sed修改：

sed -i 's/  id: my-filestream-id/  id: my-nginx-id/' /etc/filebeat/filebeat.ymlsed -i 's/  enabled: false/  enabled: true/' /etc/filebeat/filebeat.ymlsed -i 's/\/var\/log\/\*\.log/\/var\/log\/nginx\/access\.log/' /etc/filebeat/filebeat.ymlsed -i 's/#output.logstash:/output.logstash:/' /etc/filebeat/filebeat.ymlsed -i 's/  #hosts: \["localhost:5044"\]/  hosts: \["192.168.174.20:5044"\]/' /etc/filebeat/filebeat.ymlsed -i 's/output.elasticsearch:/#output.elasticsearch:/' /etc/filebeat/filebeat.ymlsed -i 's/  hosts: \["localhost:9200"\]/#  hosts: \["localhost:9200"\]/' /etc/filebeat/filebeat.yml#重启filebeat服务
systemctl restart filebeat.service 
systemctl enable filebeat.service 

4.2为174.20传输logstash相关配置

scp /root/logstash-7.17.9-x86_64.rpm 192.168.174.20:/root/#进入174.20rpm安装logstash
rpm -ivh logstash-7.17.9-x86_64.rpm#启动logstash服务
systemctl start logrotate.service #拷贝10文件到20 
scp /etc/logstash/conf.d/nginx_access.conf 192.168.174.20:/etc/logstash/conf.d/nginx_access.conf#修改索引名字
sed -i 's/index=>"nginx_grok_access_%{+YYYY\.MM\.dd}"/index=>"nginx_filebeat_grok_access_%{+YYYY\.MM\.dd}"/' /etc/logstash/conf.d/nginx_access.conf

4.3启动 Logstash 并使用指定配置文件

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf