How to Install ELK on Ubuntu 20.04

The ELK stack is known as Elastic Stack is a collection of three open-source software i.e. Elasticsearch, Kibana, and Logstash. The ELK stack is used to search, analyze, and visualize a large volume of data.

Beats is an important tool to improve the capability of Elasticsearch. So we have four main components which free to download and use:

• Elasticsearch: distributed search engine stores the collected data
• Logstash: data processing component sends the data to Elasticsearch
• Kibana: GUI web is used to search and visualize logs
• Beats: lightweight plugin is used to aggregate data from different data streams

This tutorial will go through the steps of installing the ELK stack on Ubuntu 20.04.

Install Java

In order to install ELK stack you have to install Java on your Ubuntu machine by the following command:

$ sudo apt install openjdk-8-jdk

Verifying that Java has successfully installed:

$ java -version

Output:

openjdk version "1.8.0_275"
OpenJDK Runtime Environment (build 1.8.0_275-8u275-b01-0ubuntu1~20.04-b01)
OpenJDK 64-Bit Server VM (build 25.275-b01, mixed mode)

Install Nginx

Kibana dashboard requires Nginx webserver to be installed on your machine. It used Nginx as a reverse proxy.

To install Nginx by the following command:

$ sudo apt install nginx

Install and configure Elasticsearch

In order to install Elasticsearch, you have to add its repository to your Ubuntu 20.04 source list.

Import GPG key:

$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Then, install the apt-transport-https:

$ sudo apt install apt-transport-https

Add Elasticsearch repository:

$ echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee –a /etc/apt/sources.list.d/elastic-7.x.list

Now, you can install the Elasticsearch:

$ sudo apt update
$ sudo apt install elasticsearch

The configuration file of Elasticsearch is located at /etc/elasticsearch/elasticsearch.yml

Use your favorite editor and modify it as follows:

Uncomment lines:

network.host: localhost

http.port: 9200

Add the following line in Discovery section:

discovery.type: single-node

Start the Elasticsearch service by running:

$ sudo systemctl start elasticsearch.service

Enable Elasticsearch service to start at boot, type:

$ sudo systemctl enable elasticsearch.service

Verify that Elasticsearch is running and listening on port 9200:

$ curl -X GET "localhost:9200"

Install and configure Kibana

To install Kibana, run the following command:

$ sudo apt install kibana

Once the installation has finished, open the Kibana configuration file:

$ sudo vim /etc/kibana/kibana.yml

Uncomment these lines:

server.port: 5601
server.host: "localhost"
elasticsearch.hosts: ["http://localhost:9200"]

Start the Kibana service and make it launch at boot:

$ sudo systemctl start kibana
$ sudo systemctl enable kibana

To access Kibana Dashboard, you have to allow traffic on port 5601:

$ sudo ufw allow 5601/tcp

Now, we can access Kibana Dashboard at http://localhost:5601

Install and configure Logstash

To install Logstash, run the command as follows:

$ sudo apt install logstash

Start the Logstash service and make it launch at boot:

$ sudo systemctl start logstash
$ sudo systemctl enable logstash

Verifying that Logstash service is running:

$ sudo systemctl status logstash

All Logstash configuration files are located in /etc/logstash/conf.d/. According to our own use case, configure INPUT, FILTERS, OUTPUT pipelines.

Install and configure Filebeat

To install filebeat, run the following command:

$ sudo apt install filebeat

Once the installation has completed, configure Filebeat by editing its configuration file:

$ sudo vim /etc/filebeat/filebeat.yml

In section Elasticsearch Output, let's comment out the following lines:

#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

Then, uncomment these lines in Logstash output section:

output.logstash:
  hosts: ["localhost:5044"]

Next, need to enable the Filebeat system module:

$ sudo filebeat modules enable system

Then, load the index template:

$ sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

Start the Filebeat service and make it launch at boot:

$ sudo systemctl start filebeat
$ sudo systemctl enable filebeat

Conclusion

The ELK stack is a really powerful tool for centralizing data. This tutorial has gone through all steps of installing and configuring the ELK stack on your Ubuntu 20.04.

Thanks for reading and please leave your suggestion in the below comment section.