ELK Stack日志管理
ELK Stack日志管理
ELK Stack简介
ELK Stack是Elasticsearch、Logstash和Kibana的组合,用于日志的收集、存储、搜索和可视化。
架构
数据源 → Logstash → Elasticsearch → Kibana
│ │ │ │
│ 处理/过滤 存储/索引 可视化
│
Filebeat(轻量级采集器)
Docker Compose部署
version: '3.8'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.10.0
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
volumes:
- es_data:/usr/share/elasticsearch/data
ports:
- "9200:9200"
networks:
- elk
logstash:
image: docker.elastic.co/logstash/logstash:8.10.0
volumes:
- ./logstash/pipeline:/usr/share/logstash/pipeline
ports:
- "5000:5000"
- "9600:9600"
environment:
- "LS_JAVA_OPTS=-Xms256m -Xmx256m"
depends_on:
- elasticsearch
networks:
- elk
kibana:
image: docker.elastic.co/kibana/kibana:8.10.0
ports:
- "5601:5601"
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
depends_on:
- elasticsearch
networks:
- elk
filebeat:
image: docker.elastic.co/beats/filebeat:8.10.0
user: root
volumes:
- ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml
- /var/log:/var/log:ro
- /var/lib/docker/containers:/var/lib/docker/containers:ro
depends_on:
- elasticsearch
networks:
- elk
volumes:
es_data:
networks:
elk:
Logstash配置
# logstash/pipeline/logstash.conf
input {
tcp {
port => 5000
codec => json
}
beats {
port => 5044
}
}
filter {
if [type] == "nginx" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:message}" }
}
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "%{type}-%{+YYYY.MM.dd}"
}
}
Filebeat配置
# filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
fields:
type: nginx
- type: log
enabled: true
paths:
- /var/log/syslog
fields:
type: syslog
output.logstash:
hosts: ["logstash:5044"]
Kibana可视化
创建索引模式
# 访问Kibana
# http://localhost:5601
# 1. 进入 Management → Stack Management
# 2. 点击 Index Patterns
# 3. 创建索引模式(如 nginx-*)
创建仪表板
- 进入 Visualize → Create visualization
- 选择图表类型
- 选择索引模式
- 配置查询和聚合
- 保存并添加到仪表板
实践:Nginx日志分析
# 1. 启动ELK
docker-compose up -d
# 2. 配置Nginx日志格式
log_format json_combined escape=json
'{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"request":"$request",'
'"status":$status,'
'"body_bytes_sent":$body_bytes_sent,'
'"request_time":$request_time,'
'"http_referrer":"$http_referer",'
'"http_user_agent":"$http_user_agent"'
'}';
access_log /var/log/nginx/access.log json_combined;
# 3. 在Kibana中查看日志
# 访问 http://localhost:5601
# 创建 nginx-* 索引模式
# 在 Discover 中查看日志
性能优化
# Elasticsearch优化
# 增加堆内存
environment:
- "ES_JAVA_OPTS=-Xms4g -Xmx4g"
# Logstash优化
# 增加pipeline workers
pipeline.workers: 4
pipeline.batch.size: 125
总结
ELK Stack是功能强大的日志管理平台。通过合理配置,可以实现日志的集中收集、存储、搜索和可视化分析。