Operations 16 min read
Mastering ELK: Step-by-Step Guide to Deploying a Full-Scale Log Analysis System
This article provides a comprehensive walkthrough of the ELK stack—Elasticsearch, Logstash, and Kibana—detailing its architecture, core concepts, and step-by-step deployment on a multi-node environment, including configuration, service setup, plugin installation, and troubleshooting tips for effective log analysis.
Raymond Ops
Raymond Ops
1. ELK
1. ELK Log Analysis System
ELK日志分析系统是Logstash、Elasticsearch、Kibana开源软件的集合,对外是作为一个日志管理系统的开源方案,它可以从任何来源、任何格式进行日志搜索、分析与可视化展示。2. Components of the ELK Log Analysis System
elasticsearch(es):通过搭建群集;存储日志数据,索引日志数据;
logstash :收集日志,收集到了后给es存储;
kibana :视图形式展现日志信息,更加人性化。3. Log Processing Steps
1, 将日志进行集中化管理(beats)
2, 将日志格式化(Logstash),然后将格式化后的数据输出到Elasticsearch
3, 对格式化后的数据进行索引和存储(Elasticsearch)
4, 前端数据的展示(Kibana)4. Elasticsearch
Elasticsearch:提供了一个分布式多用户能力的全文搜索引擎,用java开发,设计用于云计算中,能够达到实时搜索,稳定,可靠,快速,安装使用方便。
核心概念:
1. 接近实时(NRT):从索引一个文档到该文档能够被搜索到的延迟通常为1秒。
2. 集群(cluster):由一个或多个节点组成,共同持有全部数据并提供索引和搜索功能。
3. 节点(node):集群中的单台服务器,存储数据并参与索引和搜索。
4. 索引(type):逻辑上的分类/分区,类似关系型数据库的表。
5. 分片和副本(shards & replicas):索引可以拆分为多个分片,每个分片是完整的索引,可在不同节点上存放;副本提供冗余和高可用。
默认每个索引 5 个主分片和 1 个副本(在两节点以上时实际为 5 主分片 + 5 副本)。5. LogStash
一款强大的数据处理工具;可实现数据传输、格式处理、格式化输出;数据输入(从业务输入)、数据加工(如过滤、改写等)以及数据输出(输出到Elasticsearch群集)。
主要组件:
- shipper:日志收集者,监控本地日志文件变化并收集最新内容。
- indexer:日志存储者,负责接收日志并写入本地文件。
- broker:日志 hub,连接多个 shipper 和 indexer。
- search and storage:允许对事件进行搜索和存储。
- web interface:基于 Web 的展示界面。6. Kibana
一个针对 Elasticsearch 的开源分析及可视化平台;搜索、查看存储在 Elasticsearch 索引中的数据;通过各种图表进行高级数据分析及展示。
主要功能:
- 与 Elasticsearch 无缝集成
- 整合数据,支持复杂数据分析
- 为团队成员提供可视化收益
- 接口灵活,易于分享
- 配置简单,可视化多数据源
- 简单数据导出2. Deploying the ELK Log Analysis System
环境:
node1 192.168.118.13
node2 192.168.118.14
apache 192.168.118.1281. Disable firewall and core protection
systemctl stop firewalld
systemctl disable firewalld
setenforce 02. Configure Elasticsearch environment
echo '192.168.118.13 node1' >> /etc/hosts
echo '192.168.118.14 node2' >> /etc/hosts
java -version # 若未安装, yum -y install java3. Deploy Elasticsearch software
1) 安装 elasticsearch‑rpm 包
cd /opt
rpm -ivh elasticsearch-5.5.0.rpm
2) 加载系统服务
systemctl daemon-reload
systemctl enable elasticsearch.service
3) 修改主配置文件 (/etc/elasticsearch/elasticsearch.yml)
cluster.name: my-elk-cluster
node.name: node1
path.data: /data/elk_data
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: false
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["node1", "node2"]
4) 创建数据存放路径并授权
mkdir -p /data/elk_data
chown elasticsearch:elasticsearch /data/elk_data/
5) 启动并检查
systemctl start elasticsearch
netstat -antp | grep 9200
6) 查看节点信息 (浏览器访问 http://192.168.118.13:9200 等)4. Install elasticsearch‑head plugin
1) 编译安装 node 依赖
yum -y install gcc gcc-c++ make
cd /opt
tar zxvf node-v8.2.1.tar.gz
cd node-v8.2.1/
./configure && make && make install
2) 安装 phantomjs
cd /opt
tar jxf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/src/
cp /usr/local/src/phantomjs-2.1.1-linux-x86_64/bin/phantomjs /usr/local/bin
3) 安装 elasticsearch‑head
cd /opt
tar zxf elasticsearch-head.tar.gz -C /usr/local/src/
cd /usr/local/src/elasticsearch-head/
npm install
4) 修改 elasticsearch.yml 以开启跨域
http.cors.enabled: true
http.cors.allow-origin: "*"
5) 重启 elasticsearch 并启动 head
systemctl restart elasticsearch.service
cd /usr/local/src/elasticsearch-head/
npm run start &
# 监听端口 9100
6) 使用浏览器访问 http://<node_ip>:9100 并在界面输入 Elasticsearch 地址 (如 http://192.168.118.13:9200)5. Install Logstash
1) 在 Apache 主机上安装 httpd 和 Java
yum -y install httpd
systemctl start httpd
yum -y install java
2) 安装 logstash
cd /opt
rpm -ivh logstash-5.5.1.rpm
systemctl start logstash.service
systemctl enable logstash.service
ln -s /usr/share/logstash/bin/logstash /usr/local/bin/
3) 测试 logstash 命令
logstash -e 'input { stdin{} } output { stdout{} }'
logstash -e 'input { stdin{} } output { stdout{ codec=>rubydebug } }'
logstash -e 'input { stdin{} } output { elasticsearch { hosts=>["192.168.118.13:9200"] } }'
4) 在 Apache 主机上配置系统日志输入
vim /etc/logstash/conf.d/system.conf
input { file { path => "/var/log/messages" type => "system" start_position => "beginning" } }
output { elasticsearch { hosts => ["192.168.118.13:9200"] index => "system-%{+YYYY.MM.dd}" } }
systemctl restart logstash.service
# 浏览器访问 http://192.168.118.13:9100 查看索引信息6. Install Kibana
1) 在 node1 上安装 kibana
cd /opt
rpm -ivh kibana-5.5.1-x86_64.rpm
2) 配置 kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://192.168.221.20:9200"
kibana.index: ".kibana"
3) 启动 kibana
systemctl start kibana.service
systemctl enable kibana.service
# 浏览器访问 http://192.168.118.13:5601
4) 对接 Apache 日志
vim /etc/logstash/conf.d/apache_log.conf
input { file { path => "/etc/httpd/logs/access_log" type => "access" start_position => "beginning" } file { path => "/etc/httpd/logs/error_log" type => "error" start_position => "beginning" } }
output { if [type] == "access" { elasticsearch { hosts => ["192.168.118.13:9200"] index => "apache_access-%{+YYYY.MM.dd}" } } if [type] == "error" { elasticsearch { hosts => ["192.168.118.13:9200"] index => "apache_error-%{+YYYY.MM.dd}" } } }
/usr/share/logstash/bin/logstash -f apache_log.conf
# 访问 http://192.168.118.128 产生日志,随后在 Kibana 中查看Original Source
Signed-in readers can open the original source through BestHub's protected redirect.
Republication Notice
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Written by
Raymond Ops
Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.
0 followers
Reader feedback
How this landed with the community
Rate this article
Was this worth your time?
Discussion
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.