ELK堆栈(Elasticsearch、Logstash、Kibana)是一个流行的日志收集、处理和分析系统,广泛用于Linux系统日志的管理和分析。以下是使用ELK堆栈分析Linux日志的基本步骤:
apt或yum)或直接下载官方发布的安装包进行安装。wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.x.deb
sudo dpkg -i elasticsearch-7.x.deb
sudo systemctl enable elasticsearch.service
sudo systemctl start elasticsearch.service
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.x.rpm
sudo rpm -ivh logstash-7.x.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.x-linux-x86_64.tar.gz
tar xvf kibana-7.x-linux-x86_64.tar.gz
cd kibana-7.x-linux-x86_64/
/etc/elasticsearch/elasticsearch.yml),确保以下设置正确:cluster.name: my-application
node.name: node-1
network.host: localhost
sudo systemctl start elasticsearch
/etc/logstash/conf.d/myapp.conf),并配置输入、过滤和输出插件:input {
file {
path "/var/log/myapp/app.log"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
hosts ["localhost:9200"]
index "myapp-%{YYYY.MM.dd}"
}
}
sudo systemctl start logstash
config/kibana.yml),配置Elasticsearch的连接信息:server.host: "localhost"
elasticsearch.hosts: ["http://localhost:9200"]
./bin/kibana
通过以上步骤,你可以使用ELK堆栈有效地收集、存储、搜索和分析Linux系统日志。