从零搭建企业级档案日志管理系统：实战指南

发布时间: 2026年06月08日 00:30:03 来源: 安答联动浏览量: 0

系统架构与核心组件

完整的档案日志管理系统需要包含日志采集、传输、存储、查询和分析四个核心模块。我们采用以下技术栈：

日志采集：Filebeat 7.17.0
日志缓冲与传输：Redis 6.2.6
日志解析与索引：Logstash 7.17.0
存储与搜索：Elasticsearch 7.17.0
可视化：Kibana 7.17.0

所有组件均部署在CentOS 7.9操作系统上。这套组合成熟稳定，社区支持完善，能满足从GB到TB级别的日志管理需求。

环境准备与安装

操作系统基础配置

在所有目标服务器上执行以下命令，调整系统参数以满足ELK套件运行要求：

编辑系统限制配置文件：

``` sudo vi /etc/security/limits.conf ```

在文件末尾添加：

``` soft nofile 65536 hard nofile 65536 soft nproc 4096 hard nproc 4096 elasticsearch soft memlock unlimited elasticsearch hard memlock unlimited ```

编辑系统内核参数配置文件：

``` sudo vi /etc/sysctl.conf ```

在文件末尾添加：

``` vm.max_map_count=262144 fs.file-max=65536 ```

执行以下命令使配置生效：

``` sudo sysctl -p ```

安装Java运行环境

Elasticsearch和Logstash依赖Java，安装OpenJDK 11：

``` sudo yum install -y java-11-openjdk-devel ```

验证安装：

``` java -version ```

正确输出应包含"openjdk version \"11.0.xx\""。

核心组件部署与配置

Elasticsearch部署

1. 下载并安装Elasticsearch：

``` wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.0-x86_64.rpm sudo rpm -ivh elasticsearch-7.17.0-x86_64.rpm ```

2. 编辑主配置文件：

``` sudo vi /etc/elasticsearch/elasticsearch.yml ```

修改以下关键配置：

``` cluster.name: archive-log-cluster node.name: node-1 path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 0.0.0.0 http.port: 9200 discovery.seed_hosts: ["localhost"] cluster.initial_master_nodes: ["node-1"] ```

3. 启动服务并设置开机自启：

``` sudo systemctl daemon-reload sudo systemctl enable elasticsearch sudo systemctl start elasticsearch ```

4. 验证服务：

``` curl -X GET "localhost:9200/" ```

返回包含"version"和"tagline"的JSON即表示成功。

Logstash部署

1. 下载并安装Logstash：

``` wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.0-x86_64.rpm sudo rpm -ivh logstash-7.17.0-x86_64.rpm ```

2. 创建日志处理配置文件：

``` sudo vi /etc/logstash/conf.d/archive-log.conf ```

输入以下完整配置：

``` input { redis { host => "localhost" port => 6379 key => "logstash" data_type => "list" codec => "json" } } filter { 解析时间戳 date { match => ["timestamp", "ISO8601"] target => "@timestamp" } 移除原始时间戳字段 mutate { remove_field => ["timestamp"] } 为不同应用添加标签 if [app_name] == "web_server" { mutate { add_tag => ["web", "archive"] } } if [app_name] == "database" { mutate { add_tag => ["db", "archive"] } } } output { elasticsearch { hosts => ["localhost:9200"] index => "archive-logs-%{+YYYY.MM.dd}" document_type => "_doc" } 同时输出到控制台用于调试（生产环境可注释） stdout { codec => rubydebug } } ```

3. 启动服务：

``` sudo systemctl enable logstash sudo systemctl start logstash ```

Redis部署

1. 安装Redis：

``` sudo yum install -y epel-release sudo yum install -y redis ```

2. 修改配置文件允许远程连接：

``` sudo vi /etc/redis.conf ```

找到并修改：

``` bind 0.0.0.0 requirepass your_secure_password_here ```

从零搭建企业级档案日志管理系统：实战指南

将"your_secure_password_here"替换为强密码。

3. 启动服务：

``` sudo systemctl enable redis sudo systemctl start redis ```

Filebeat部署与配置

1. 在日志产生服务器上安装Filebeat：

``` wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.0-x86_64.rpm sudo rpm -ivh filebeat-7.17.0-x86_64.rpm ```

2. 编辑配置文件：

``` sudo vi /etc/filebeat/filebeat.yml ```

修改以下部分：

``` filebeat.inputs: - type: log enabled: true paths: - /var/log/nginx/access.log - /var/log/nginx/error.log fields: app_name: "web_server" log_type: "access" fields_under_root: true - type: log enabled: true paths: - /var/log/mysql/mysql.log fields: app_name: "database" log_type: "slow_query" fields_under_root: true output.redis: hosts: ["logstash_server_ip:6379"] password: "your_secure_password_here" key: "logstash" db: 0 timeout: 5 ```

将"logstash_server_ip"替换为实际Logstash服务器IP，将"your_secure_password_here"替换为Redis密码。

3. 启动Filebeat：

``` sudo systemctl enable filebeat sudo systemctl start filebeat ```

Kibana部署

1. 下载并安装Kibana：

``` wget https://artifacts.elastic.co/downloads/kibana/kibana-7.17.0-x86_64.rpm sudo rpm -ivh kibana-7.17.0-x86_64.rpm ```

2. 编辑配置文件：

``` sudo vi /etc/kibana/kibana.yml ```

修改：

``` server.port: 5601 server.host: "0.0.0.0" elasticsearch.hosts: ["http://localhost:9200"] ```

3. 启动服务：

``` sudo systemctl enable kibana sudo systemctl start kibana ```

日志归档策略与索引管理

配置索引生命周期策略

在Kibana中管理索引生命周期，或通过API创建策略。以下为7天热存储、30天温存储、永久冷存储的配置：

``` PUT _ilm/policy/archive_logs_policy { "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "rollover": { "max_size": "50gb", "max_age": "7d" }, "set_priority": { "priority": 100 } } }, "warm": { "min_age": "7d", "actions": { "set_priority": { "priority": 50 }, "shrink": { "number_of_shards": 1 }, "forcemerge": { "max_num_segments": 1 } } }, "cold": { "min_age": "37d", "actions": { "set_priority": { "priority": 0 }, "searchable_snapshot": { "snapshot_repository": "my_repository" } } }, "delete": { "min_age": "365d", "actions": { "delete": {} } } } } } ```

将策略应用到索引模板：

``` PUT _index_template/archive_logs_template { "index_patterns": ["archive-logs-"], "template": { "settings": { "number_of_shards": 3, "number_of_replicas": 1, "index.lifecycle.name": "archive_logs_policy" } } } ```

设置索引模板优化存储

创建索引模板，定义字段映射和存储优化：

``` PUT _template/archive_logs_template_v1 { "index_patterns": ["archive-logs-"], "settings": { "index.codec": "best_compression", "analysis": { "analyzer": { "log_analyzer": { "type": "custom", "tokenizer": "standard", "filter": ["lowercase"] } } } }, "mappings": { "properties": { "@timestamp": { "type": "date" }, "message": { "type": "text", "analyzer": "log_analyzer" }, "app_name": { "type": "keyword" }, "log_level": { "type": "keyword" }, "host": { "type": "ip" }, "response_time_ms": { "type": "float" } } } } ```