ELK (Elasticsearch + Logstash + Kibana) 是当前最流行的日志管理解决方案之一。下面详细介绍如何为 PHP 项目搭建完整的 ELK 日志监控体系。
一、基础架构组成
PHP应用 → Filebeat → Logstash → Elasticsearch → Kibana(可选) ↗二、环境准备
1. 服务器要求
-
建议独立服务器部署
-
最低配置:4核CPU/8GB内存/100GB存储
-
推荐配置:8核CPU/16GB内存/500GB SSD(生产环境)
2. 组件版本选择
# 推荐使用相同大版本
Elasticsearch 8.x
Logstash 8.x
Kibana 8.x
Filebeat 8.x三、详细安装配置步骤
1. Elasticsearch 安装配置
# 安装(Ubuntu示例)
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update && sudo apt install elasticsearch# 基础配置 /etc/elasticsearch/elasticsearch.yml
cluster.name: php-logs
node.name: node-1
network.host: 0.0.0.0
discovery.type: single-node # 单节点模式
xpack.security.enabled: true # 启用安全认证# 启动服务
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch# 设置密码
sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto2. Logstash 配置
sudo apt install logstash创建配置文件 /etc/logstash/conf.d/php.conf:
input {beats {port => 5044}
}filter {grok {match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}" }}date {match => ["timestamp", "ISO8601"]target => "@timestamp"}mutate {remove_field => ["timestamp"]}
}output {elasticsearch {hosts => ["http://localhost:9200"]index => "php-logs-%{+YYYY.MM.dd}"user => "elastic"password => "your_password"}
}启动服务:
sudo systemctl start logstash
sudo systemctl enable logstash3. Kibana 安装配置
sudo apt install kibana配置 /etc/kibana/kibana.yml:
server.host: "0.0.0.0"
server.port: 5601
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "your_password"启动服务:
sudo systemctl start kibana
sudo systemctl enable kibana4. Filebeat 客户端配置(PHP服务器)
sudo apt install filebeat配置 /etc/filebeat/filebeat.yml:
filebeat.inputs:
- type: logenabled: truepaths:- /var/www/html/storage/logs/*.log # PHP日志路径fields:app: php-appenv: productionoutput.logstash:hosts: ["logstash-server:5044"]启动服务:
sudo systemctl start filebeat
sudo systemctl enable filebeat四、PHP 应用日志集成
1. Monolog 配置示例
// composer.json
{"require": {"monolog/monolog": "^2.0"}
}// 日志配置示例
use Monolog\Logger;
use Monolog\Handler\StreamHandler;$log = new Logger('app');
$log->pushHandler(new StreamHandler(__DIR__.'/storage/logs/app.log', Logger::DEBUG));// 结构化日志示例
$log->info('User login', ['user_id' => 123,'ip' => $_SERVER['REMOTE_ADDR'],'user_agent' => $_SERVER['HTTP_USER_AGENT']
]);2. 日志格式优化
推荐使用JSON格式日志:
$jsonHandler = new StreamHandler(__DIR__.'/logs/app.json',Logger::DEBUG
);
$jsonHandler->setFormatter(new JsonFormatter());
$log->pushHandler($jsonHandler);五、Kibana 仪表板配置
-
访问
http://your-server:5601 -
创建索引模式
php-logs-* -
创建可视化图表:
-
错误日志统计
-
请求响应时间分布
-
用户行为热力图
-
-
设置警报规则(如5分钟内错误超过100次触发报警)
六、高级功能配置
1. 日志归档策略
# Logstash添加以下output
output {# 每天归档日志到S3s3 {access_key_id => "your_key"secret_access_key => "your_secret"region => "us-east-1"bucket => "php-logs-archive"time_file => 24codec => "json"}
}2. 性能优化建议
# Elasticsearch优化 /etc/elasticsearch/jvm.options
-Xms4g
-Xmx4g# Logstash管道优化
pipeline.workers: 4
pipeline.batch.size: 1003. 安全加固
# 设置防火墙规则
sudo ufw allow 9200/tcp # Elasticsearch
sudo ufw allow 5601/tcp # Kibana
sudo ufw allow 5044/tcp # Logstash七、常见问题解决
-
日志收集延迟:
# 检查Filebeat状态 sudo filebeat test output# 增加Logstash管道线程 pipeline.workers: 8 -
磁盘空间不足:
# 设置Elasticsearch索引生命周期管理 PUT _ilm/policy/php-logs-policy {"policy": {"phases": {"hot": {"actions": {"rollover": {"max_size": "50GB"}}},"delete": {"min_age": "30d","actions": {"delete": {}}}}} } -
日志解析失败:
# 更新Logstash的grok模式 filter {grok {match => { "message" => ["%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}", "备用模式"] }} }八、监控指标建议
-
关键指标:
-
错误率(5xx响应占比)
-
慢请求(>1s的请求)
-
用户行为异常(如频繁登录失败)
-
-
报警规则示例:
{"alert_name": "High Error Rate","conditions": {"threshold": 5,"time_window": "5m","metric": "error_count"} }通过以上完整配置,您可以为PHP应用构建一个高效、可靠的日志监控系统,实现从日志收集、存储到可视化分析的全流程管理。
