ELK Stack(Elasticsearch + Logstash + Kibana)环境搭建完全指南
概述
ELK Stack 是业界最流行的开源日志管理解决方案,由 Elasticsearch(搜索引擎/存储引擎)、Logstash(日志采集/处理管道)和 Kibana(数据可视化面板)三个核心组件组成。它能够集中采集、存储、分析和可视化来自多台服务器的日志数据,是运维排障、安全审计、业务分析的利器。
本文以 Ubuntu 22.04 LTS 为例,手把手教你从零搭建完整的 ELK Stack 环境。
一、架构概述
ELK 工作流程
1
| 应用/服务日志 → Filebeat/Logstash → Elasticsearch → Kibana
|
- Filebeat:轻量级日志采集器,部署在每个目标服务器上,将日志发送到 Logstash 或直接写入 Elasticsearch
- Logstash:服务端数据处理管道,接收多种来源的日志,进行解析、过滤、转换后输出到 Elasticsearch
- Elasticsearch:分布式搜索和分析引擎,负责日志的存储、索引和搜索
- Kibana:Web 可视化面板,提供日志搜索、图表展示、仪表板等功能
| 组件 | 版本 | 端口 | 描述 |
|---|
| Elasticsearch | 8.x | 9200 (HTTP) / 9300 (Transport) | 分布式搜索引擎,存储与索引日志 |
| Logstash | 8.x | 5044 (Beats) / 9600 (API) | 日志处理管道,采集、解析、过滤 |
| Kibana | 8.x | 5601 | 数据可视化与搜索面板 |
| Filebeat | 8.x | - | 轻量级日志采集器(客户端部署) |
二、环境准备
系统要求
1
2
3
4
5
6
7
8
9
10
11
12
|
lsb_release -a
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl wget gnupg apt-transport-https software-properties-common
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
|
Java 环境(Elasticsearch 8.x 内置 JDK,无需单独安装)
Elasticsearch 8.x 发行版已内置捆绑的 OpenJDK,无需额外安装 Java。如需查看内置 JDK 版本:
1
2
|
/usr/share/elasticsearch/jdk/bin/java -version
|
三、安装 Elasticsearch
3.1 添加 Elastic 官方源
1
2
3
4
5
6
7
8
|
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update
|
3.2 安装 Elasticsearch
1
2
|
sudo apt install -y elasticsearch
|
3.3 配置 Elasticsearch
1
2
|
sudo vi /etc/elasticsearch/elasticsearch.yml
|
关键配置项:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
cluster.name: my-elk-cluster
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
xpack.security.enabled: true
discovery.type: single-node
|
安全提示:生产环境请勿将 network.host 设置为 0.0.0.0 暴露到公网,应绑定内网 IP 并通过 Nginx 反向代理访问。
3.4 启动与验证
1
2
3
4
5
6
7
8
9
|
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
sudo systemctl status elasticsearch
sudo journalctl -u elasticsearch -n 50
|
3.5 重置密码
Elasticsearch 8.x 默认启用安全特性,首次安装后会生成随机密码。推荐手动重置:
1
2
3
4
|
cd /usr/share/elasticsearch
sudo bin/elasticsearch-reset-password -u elastic -i
|
验证连接:
1
2
|
curl -k -u elastic:你的密码 https://localhost:9200
|
预期返回类似:
1
2
3
4
5
6
7
8
9
10
11
| {
"name" : "node-1",
"cluster_name" : "my-elk-cluster",
"cluster_uuid" : "xxx",
"version" : {
"number" : "8.15.0",
"build_flavor" : "default",
...
},
"tagline" : "You Know, for Search"
}
|
四、安装 Kibana
4.1 安装
1
| sudo apt install -y kibana
|
4.2 配置 Kibana
1
| sudo vi /etc/kibana/kibana.yml
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "你的密码"
elasticsearch.ssl.verificationMode: none
|
4.3 创建 Kibana 系统用户密码
1
2
3
4
|
cd /usr/share/elasticsearch
sudo bin/elasticsearch-reset-password -u kibana_system -i
|
4.4 启动 Kibana
1
2
3
4
5
6
|
sudo systemctl start kibana
sudo systemctl enable kibana
sudo systemctl status kibana
|
4.5 访问 Kibana
浏览器访问 http://你的服务器IP:5601,使用 elastic 用户和之前设置的密码登录。
注意:如果 Kibana 与 Elasticsearch 不在同一台机器,需要将 elasticsearch.hosts 中的 localhost 替换为 Elasticsearch 的实际 IP。
五、安装 Logstash
5.1 安装
1
| sudo apt install -y logstash
|
5.2 创建 Logstash 管道配置
1
2
|
sudo vi /etc/logstash/conf.d/logstash.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| input {
beats {
port => 5044
ssl => false
}
}
filter {
if [fields][log_type] == "nginx-access" {
grok {
match => { "message" => "%{IPORHOST:client_ip} - %{DATA:user} \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{DATA:request} HTTP/%{NUMBER:http_version}\" %{NUMBER:response} %{NUMBER:body_bytes} \"%{DATA:referrer}\" \"%{DATA:agent}\"" }
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
target => "@timestamp"
}
}
if [fields][log_type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:hostname} %{DATA:program}(?:\[%{POSINT:pid}\])?: %{GREEDYDATA:syslog_message}" }
}
}
}
output {
elasticsearch {
hosts => ["https://localhost:9200"]
user => "elastic"
password => "你的密码"
ssl => false
index => "logs-%{+YYYY.MM.dd}"
}
}
|
5.3 启动 Logstash
1
2
3
4
5
6
|
sudo systemctl start logstash
sudo systemctl enable logstash
sudo systemctl status logstash
|
六、安装 Filebeat(客户端部署)
Filebeat 需要部署在每个需要采集日志的服务器上。
6.1 安装
1
2
|
sudo apt install -y filebeat
|
6.2 配置 Filebeat
1
| sudo vi /etc/filebeat/filebeat.yml
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/syslog
- /var/log/auth.log
fields:
log_type: syslog
fields_under_root: true
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
fields:
log_type: nginx-access
fields_under_root: true
output.logstash:
hosts: ["你的ELK服务器IP:5044"]
|
6.3 启动 Filebeat
1
2
3
4
5
6
7
8
9
|
sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["你的ELK服务器IP:9200"]'
sudo systemctl start filebeat
sudo systemctl enable filebeat
sudo filebeat test output
|
七、安全加固
7.1 Nginx 反向代理 Kibana
1
2
3
4
5
|
sudo apt install -y nginx
sudo vi /etc/nginx/sites-available/kibana
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| server {
listen 80;
server_name kibana.你的域名.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name kibana.你的域名.com;
ssl_certificate /etc/letsencrypt/live/你的域名.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/你的域名.com/privkey.pem;
auth_basic "Kibana Login";
auth_basic_user_file /etc/nginx/.kibana-users;
location / {
proxy_pass http://127.0.0.1:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
|
1
2
3
4
5
6
7
|
sudo htpasswd -c /etc/nginx/.kibana-users admin
sudo ln -s /etc/nginx/sites-available/kibana /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
|
7.2 防火墙配置
1
2
3
4
5
6
|
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 5044/tcp
sudo ufw enable
|
7.3 系统资源限制
Elasticsearch 对系统资源有较高要求,建议调整:
1
2
3
4
5
6
|
echo "elasticsearch - nofile 65535" | sudo tee /etc/security/limits.d/elasticsearch.conf
sudo swapoff -a
|
八、常用操作速查
| 操作 | 命令 |
|---|
| 查看 Elasticsearch 集群健康 | curl -k -u elastic:密码 https://localhost:9200/_cluster/health |
| 列出所有索引 | curl -k -u elastic:密码 https://localhost:9200/_cat/indices?v |
| 删除过期索引 | curl -k -u elastic:密码 -X DELETE https://localhost:9200/logs-2026.06.01 |
| 查看 Logstash 管道列表 | sudo /usr/share/logstash/bin/logstash --list-pipelines |
| 检查 Filebeat 注册表 | sudo filebeat show --state |
| Kibana Dev Tools 入口 | 浏览器访问 Kibana → 左侧菜单 → Dev Tools |
九、性能优化建议
9.1 Elasticsearch 调优
1
2
3
4
5
|
indices.memory.index_buffer_size: 10%
indices.fielddata.cache.size: 20%
search.max_buckets: 20000
thread_pool.write.queue_size: 1000
|
9.2 索引生命周期管理(ILM)
通过 ILM 自动管理索引的创建、滚动和删除:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
PUT _ilm/policy/logs_policy
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "50GB",
"max_age": "7d"
}
}
},
"delete": {
"min_age": "30d",
"actions": {
"delete": {}
}
}
}
}
}
PUT _index_template/logs_template
{
"index_patterns": ["logs-*"],
"template": {
"settings": {
"number_of_shards": 3,
"number_of_replicas": 1,
"index.lifecycle.name": "logs_policy",
"index.lifecycle.rollover_alias": "logs"
}
}
}
|
十、常见问题排查
| 问题现象 | 可能原因 | 解决方法 |
|---|
| Elasticsearch 启动失败 | max virtual memory areas 不足 | 执行 sudo sysctl -w vm.max_map_count=262144 |
| Kibana 无法连接 Elasticsearch | 认证凭据不正确或 SSL 验证失败 | 检查 kibana.yml 中的用户名密码,设置 elasticsearch.ssl.verificationMode: none |
| Logstash 接收不到数据 | 防火墙未开放 5044 端口 | sudo ufw allow 5044 或检查 iptables |
| 磁盘空间不足 | 日志索引未设置过期删除 | 配置 ILM 策略自动删除过期索引 |
| Filebeat 连接超时 | 网络不通或 Logstash 未启动 | systemctl status logstash + filebeat test output |
| Kibana 加载缓慢 | 索引数据量过大,未合理分片 | 增加分片数、配置 ILM 滚动策略 |
| Elasticsearch 内存溢出 | JVM 堆设置过大 | 编辑 /etc/elasticsearch/jvm.options,设为物理内存的 50% |
十一、总结
本文详细介绍了在 Ubuntu 22.04 上搭建 ELK Stack 的完整流程,涵盖 Elasticsearch、Logstash、Kibana 和 Filebeat 的安装配置。ELK Stack 是运维日志管理的黄金标准,掌握它能够大幅提升日常排障效率。
建议从单机部署开始熟悉各组件功能,再逐步扩展到集群架构。后续可以深入学习 Elasticsearch 查询 DSL、Kibana 可视化仪表板设计、Logstash 高级过滤插件等进阶内容。
本文由AI辅助生成,内容仅供参考
