Design and Implementation of a TB‑Scale Log Monitoring System Using the ELK Stack

The article introduces the challenges of log management in large‑scale micro‑service deployments, where hundreds of services generate terabytes of logs that are difficult to locate and analyze for troubleshooting, performance tuning, and business insights.

It proposes a unified solution that centralizes log collection, filtering, cleaning, and visualization, providing searchable interfaces, alerting, and dashboards to support both operations and development teams.

The architecture consists of FileBeat agents deployed on each service node to ingest application logs, MySQL slow‑query logs, Nginx logs, etc., publishing them to Kafka topics; Elastic APM agents collect request traces, SQL statements, CPU and memory metrics without requiring code changes; Prometheus gathers server‑level metrics.

Log data is streamed into a Kafka cluster with a short retention window (typically one hour) and then processed by a custom Log Streams service built on Kafka Streams, which applies dynamic filtering, cleaning, and enrichment rules configurable through a UI.

Default collection of all Error‑level logs.

Windowed collection of surrounding Info logs around error timestamps.

Per‑service configuration of up to 100 key logs.

Business‑specific slow‑SQL filtering and re‑ranking.

Dynamic throttling based on peak traffic, log level, and service weight.

Time‑window adjustments and index generation per service and log level.

For visualization, Grafana is used to display metrics from Prometheus and Elasticsearch, while Kibana provides APM‑specific analysis, offering comprehensive dashboards for real‑time monitoring and historical investigation.