ELK (Elasticsearch + Logstash + Kibana) 是当前最流行的日志管理解决方案之一。下面详细介绍如何为 PHP 项目搭建完整的 ELK 日志监控体系。
一、基础架构组成
PHP应用 → Filebeat → Logstash → Elasticsearch → Kibana
(可选) ↗二、环境准备
1. 服务器要求
-
建议独立服务器部署
-
最低配置:4核CPU/8GB内存/100GB存储
-
推荐配置:8核CPU/16GB内存/500GB SSD(生产环境)
2. 组件版本选择
# 推荐使用相同大版本
Elasticsearch 8.x
Logstash 8.x
Kibana 8.x
Filebeat 8.x三、详细安装配置步骤
1. Elasticsearch 安装配置
# 安装(Ubuntu示例)
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update && sudo apt install elasticsearch
# 基础配置 /etc/elasticsearch/elasticsearch.yml
cluster.name: php-logs
node.name: node-1
network.host: 0.0.0.0
discovery.type: single-node # 单节点模式
xpack.security.enabled: true # 启用安全认证
# 启动服务
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
# 设置密码
sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto2. Logstash 配置
sudo apt install logstash创建配置文件 /etc/logstash/conf.d/php.conf:
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}" }
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => ["timestamp"]
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "php-logs-%{+YYYY.MM.dd}"
user => "elastic"
password => "your_password"
}
}启动服务:
sudo systemctl start logstash
sudo systemctl enable logstash3. Kibana 安装配置
sudo apt install kibana配置 /etc/kibana/kibana.yml:
server.host: "0.0.0.0"
server.port: 5601
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "your_password"启动服务:
sudo systemctl start kibana
sudo systemctl enable kibana4. Filebeat 客户端配置(PHP服务器)
sudo apt install filebeat配置 /etc/filebeat/filebeat.yml:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/www/html/storage/logs/*.log # PHP日志路径
fields:
app: php-app
env: production
output.logstash:
hosts: ["logstash-server:5044"]启动服务:
sudo systemctl start filebeat
sudo systemctl enable filebeat四、PHP 应用日志集成
1. Monolog 配置示例
// composer.json
{
"require": {
"monolog/monolog": "^2.0"
}
}// 日志配置示例
use Monolog\Logger;
use Monolog\Handler\StreamHandler;
$log = new Logger('app');
$log->pushHandler(new StreamHandler(__DIR__.'/storage/logs/app.log', Logger::DEBUG));
// 结构化日志示例
$log->info('User login', [
'user_id' => 123,
'ip' => $_SERVER['REMOTE_ADDR'],
'user_agent' => $_SERVER['HTTP_USER_AGENT']
]);2. 日志格式优化
推荐使用JSON格式日志:
$jsonHandler = new StreamHandler(
__DIR__.'/logs/app.json',
Logger::DEBUG
);
$jsonHandler->setFormatter(new JsonFormatter());
$log->pushHandler($jsonHandler);五、Kibana 仪表板配置
-
访问
http://your-server:5601 -
创建索引模式
php-logs-* -
创建可视化图表:
-
错误日志统计
-
请求响应时间分布
-
用户行为热力图
-
-
设置警报规则(如5分钟内错误超过100次触发报警)
六、高级功能配置
1. 日志归档策略
# Logstash添加以下output
output {
# 每天归档日志到S3
s3 {
access_key_id => "your_key"
secret_access_key => "your_secret"
region => "us-east-1"
bucket => "php-logs-archive"
time_file => 24
codec => "json"
}
}2. 性能优化建议
# Elasticsearch优化 /etc/elasticsearch/jvm.options
-Xms4g
-Xmx4g
# Logstash管道优化
pipeline.workers: 4
pipeline.batch.size: 1003. 安全加固
# 设置防火墙规则
sudo ufw allow 9200/tcp # Elasticsearch
sudo ufw allow 5601/tcp # Kibana
sudo ufw allow 5044/tcp # Logstash七、常见问题解决
-
日志收集延迟:
# 检查Filebeat状态 sudo filebeat test output # 增加Logstash管道线程 pipeline.workers: 8 -
磁盘空间不足:
# 设置Elasticsearch索引生命周期管理 PUT _ilm/policy/php-logs-policy { "policy": { "phases": { "hot": { "actions": { "rollover": { "max_size": "50GB" } } }, "delete": { "min_age": "30d", "actions": { "delete": {} } } } } } -
日志解析失败:
# 更新Logstash的grok模式 filter { grok { match => { "message" => ["%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:message}", "备用模式"] } } }八、监控指标建议
-
关键指标:
-
错误率(5xx响应占比)
-
慢请求(>1s的请求)
-
用户行为异常(如频繁登录失败)
-
-
报警规则示例:
{ "alert_name": "High Error Rate", "conditions": { "threshold": 5, "time_window": "5m", "metric": "error_count" } }通过以上完整配置,您可以为PHP应用构建一个高效、可靠的日志监控系统,实现从日志收集、存储到可视化分析的全流程管理。
