The ELK stack is known as Elastic Stack is a collection of three open-source software i.e. Elasticsearch, Kibana, and Logstash. The ELK stack is used to search, analyze, and visualize a large volume of data.
Beats is an important tool to improve the capability of Elasticsearch. So we have four main components which free to download and use:
- Elasticsearch: distributed search engine stores the collected data
- Logstash: data processing component sends the data to Elasticsearch
- Kibana: GUI web is used to search and visualize logs
- Beats: lightweight plugin is used to aggregate data from different data streams
This tutorial will go through the steps of installing the ELK stack on Ubuntu 20.04.
Install Java
In order to install ELK stack you have to install Java on your Ubuntu machine by the following command:
$ sudo apt install openjdk-8-jdk
Verifying that Java has successfully installed:
$ java -version
Output:
openjdk version "1.8.0_275" OpenJDK Runtime Environment (build 1.8.0_275-8u275-b01-0ubuntu1~20.04-b01) OpenJDK 64-Bit Server VM (build 25.275-b01, mixed mode)
Install Nginx
Kibana dashboard requires Nginx webserver to be installed on your machine. It used Nginx as a reverse proxy.
To install Nginx by the following command:
$ sudo apt install nginx
Install and configure Elasticsearch
In order to install Elasticsearch, you have to add its repository to your Ubuntu 20.04 source list.
Import GPG key:
$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Then, install the apt-transport-https:
$ sudo apt install apt-transport-https
Add Elasticsearch repository:
$ echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee –a /etc/apt/sources.list.d/elastic-7.x.list
Now, you can install the Elasticsearch:
$ sudo apt update $ sudo apt install elasticsearch
The configuration file of Elasticsearch is located at /etc/elasticsearch/elasticsearch.yml
Use your favorite editor and modify it as follows:
Uncomment lines:
network.host: localhost
http.port: 9200
Add the following line in Discovery section:
discovery.type: single-node
Start the Elasticsearch service by running:
$ sudo systemctl start elasticsearch.service
Enable Elasticsearch service to start at boot, type:
$ sudo systemctl enable elasticsearch.service
Verify that Elasticsearch is running and listening on port 9200:
$ curl -X GET "localhost:9200"
Install and configure Kibana
To install Kibana, run the following command:
$ sudo apt install kibana
Once the installation has finished, open the Kibana configuration file:
$ sudo vim /etc/kibana/kibana.yml
Uncomment these lines:
server.port: 5601 server.host: "localhost" elasticsearch.hosts: ["http://localhost:9200"]
Start the Kibana service and make it launch at boot:
$ sudo systemctl start kibana $ sudo systemctl enable kibana
To access Kibana Dashboard, you have to allow traffic on port 5601:
$ sudo ufw allow 5601/tcp
Now, we can access Kibana Dashboard at http://localhost:5601
Install and configure Logstash
To install Logstash, run the command as follows:
$ sudo apt install logstash
Start the Logstash service and make it launch at boot:
$ sudo systemctl start logstash $ sudo systemctl enable logstash
Verifying that Logstash service is running:
$ sudo systemctl status logstash
All Logstash configuration files are located in /etc/logstash/conf.d/. According to our own use case, configure INPUT, FILTERS, OUTPUT pipelines.
Install and configure Filebeat
To install filebeat, run the following command:
$ sudo apt install filebeat
Once the installation has completed, configure Filebeat by editing its configuration file:
$ sudo vim /etc/filebeat/filebeat.yml
In section Elasticsearch Output, let's comment out the following lines:
#output.elasticsearch: # Array of hosts to connect to. #hosts: ["localhost:9200"]
Then, uncomment these lines in Logstash output section:
output.logstash: hosts: ["localhost:5044"]
Next, need to enable the Filebeat system module:
$ sudo filebeat modules enable system
Then, load the index template:
$ sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
Start the Filebeat service and make it launch at boot:
$ sudo systemctl start filebeat $ sudo systemctl enable filebeat
Conclusion
The ELK stack is a really powerful tool for centralizing data. This tutorial has gone through all steps of installing and configuring the ELK stack on your Ubuntu 20.04.
Thanks for reading and please leave your suggestion in the below comment section.
Thank you good article