Prerequisites #
For this tutorial I use two Ubuntu 22.04 servers.
# ELK server
192.168.30-90 ubuntu
# Monitoring host
192.168.30-90 elkhost1
ELK Stack #
Elasticsearch #
Installation #
# Download and install the public signing key
sudo wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
# Save the repository definition to /etc/apt/sources.list.d/elastic-8.x.list
sudo echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
# Update package index & install Elastic Search
sudo apt update && sudo apt install elasticsearch
Configuration #
# Open configuration file
sudo vi /etc/elasticsearch/elasticsearch.yml
- Connection from: Only localhost
# Network host: Make Elastic Search only available from the same host
network.host: localhost
# Default port: First available port starting with 9200
http.port: 9200
# Define master node
cluster.initial_master_nodes: ["node-1"]
- Connection from: Anywhere
# Network host: Make Elastic search available from every host on the network (For testing purposes)
network.host: 0.0.0.0
# Default port: First available port starting with 9200
http.port: 9200
# Define master node
cluster.initial_master_nodes: ["node-1"]
- Default paths
# Default data path
path.data: /var/lib/elasticsearch
# Default log path
path.logs: /var/log/elasticsearch
Start & Enable #
# Reload the systemd configuration files
sudo systemctl daemon-reload
# Enable service autostart
sudo systemctl enable elasticsearch
# Start service
sudo systemctl start elasticsearch
# Check status
sudo systemctl status elasticsearch
# Check log
sudo cat /var/log/elasticsearch/elasticsearch.log
Testing #
# From localhost
curl -X GET 'http://localhost:9200'
# From other host
http://192.168.30.90:9200
Kibana #
Installation #
# Install Kibana
sudo apt install kibana
# Start Kibana Dashboard
sudo systemctl start kibana
# Check status
sudo systemctl status kibana
# Check logs
sudo tail /var/log/kibana/kibana.log
# Enable service
sudo systemctl enable kibana
Configuration #
# Open configuration
sudo vi /etc/kibana/kibana.yml
# Define server name: Same as Nginx
server.publicBaseUrl: "https://elk.jklug.work"
Certbot #
# Install Certbot
sudo apt install certbot -y
# Create certificate
sudo certbot certonly --standalone -d elk.jklug.work
Create User #
- Optional: Create user for restricted Nginx access
# Create "Admin" user, prompt for pw, encrypt pw with apr1 encryption
echo "Admin:`openssl passwd -apr1`" | sudo tee -a /etc/nginx/htpasswd.users
Nginx #
# Install nginx
sudo apt install nginx -y
# Copy default config
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/elk.jklug.work
# Edit config
sudo vi /etc/nginx/sites-available/elk.jklug.work
# elk.jklug.work
server {
listen 443 ssl;
server_name elk.jklug.work;
ssl_certificate /etc/letsencrypt/live/elk.jklug.work/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/elk.jklug.work/privkey.pem;
auth_basic "Please authenticate"; # Define text for user & pw prompt
auth_basic_user_file /etc/nginx/htpasswd.users; # Define path to pw file
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
# Test configuration
sudo nginx -t
# Disable default configuration
sudo rm /etc/nginx/sites-enabled/default
# Enable config
sudo ln -s /etc/nginx/sites-available/elk.jklug.work /etc/nginx/sites-enabled/
# Restart Nginx
sudo systemctl restart nginx
# Check status
sudo systemctl status nginx
# Check logs
sudo tail /var/log/nginx/error.log
Webinterface #
# Open webinterface
elk.jklug.work/status
Logstash #
Logstash is used to process the collected data, transform it into a common format and export it into the Elasticsearch database.
Installation #
# Install Open Java Development Kit
sudo apt install default-jre -y
# Install Logstash
sudo apt install logstash
Configuration #
# Create input configuration: Filebeat input
sudo vi /etc/logstash/conf.d/02-beats-input.conf
# /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
}
}
# Create output configuration: Store Filebeat data in Elasticsearch
sudo vi /etc/logstash/conf.d/30-elasticsearch-output.conf
# /etc/logstash/conf.d/30-elasticsearch-output.conf
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
pipeline => "%{[@metadata][pipeline]}"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
}
# Test configuration
sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
Start & Enable #
# Start Logstash
sudo systemctl start logstash
# Check status
sudo systemctl status logstash
# Check log
sudo tail /var/log/logstash/logstash-plain.log
# Enable Logstash
sudo systemctl enable logstash
Filebeat Localhost #
Installation #
# Install Filebeat
sudo apt install filebeat
Open Configuration #
# Open configuration
sudo vi /etc/filebeat/filebeat.yml
Configuration: Elasticsearch #
Filebeat will not need to send data directly to Elasticsearch.
- Comment out the following section:
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
- Should look like this
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
Configuration: Logstash #
Configure Filebeat to connect to Logstash.
- Uncomment the following section:
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
- Should look like this
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
Enable Modules #
# List enabled & disbaled modules
sudo filebeat modules list
- Enable system module
# Enable system module: Collect logs from system log
sudo filebeat modules enable system
# Check system module setting: Leave by default
sudo vi /etc/filebeat/modules.d/system.yml
Initial Filebeat Setup #
# Perform initial Filebeat setup
sudo filebeat setup --pipelines --modules system
# Load the index template into Elasticsearch
sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
# Initial setup: Disable the Logstash output and enable Elasticsearch output
sudo filebeat setup -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601
Start & Enable #
# Start Filebeat
sudo systemctl start filebeat
# Check status
sudo systemctl status filebeat
# Check logs
sudo cat /var/log/filebeat/filebeat
# Enable service
sudo systemctl enable filebeat
Filebeat Other Hosts #
Installation #
# Download and install the public signing key
sudo wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
# Save the repository definition to /etc/apt/sources.list.d/elastic-8.x.list
sudo echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
# Update package index & install Filebeat
sudo apt update && sudo apt install filebeat
Open Configuration #
# Open configuration
sudo vi /etc/filebeat/filebeat.yml
Configuration: Elasticsearch #
Filebeat will not need to send data directly to Elasticsearch.
- Comment out the following section:
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
- Should look like this
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
Configuration: Logstash #
Configure Filebeat to connect to Logstash.
- Uncomment the following section:
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
# The Logstash hosts
#hosts: ["localhost:5044"]
- Define IP to Logstash server
- Should look like this
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["192.168.30.90:5044"]
Enable Modules #
- Enable system module
# Enable system module: Collect logs from system log
sudo filebeat modules enable system
# Check system module setting: Leave by default
sudo vi /etc/filebeat/modules.d/system.yml
Start & Enable #
# Start Filebeat
sudo systemctl start filebeat
# Check status
sudo systemctl status filebeat
# Check logs
sudo cat /var/log/filebeat/filebeat
# Enable service
sudo systemctl enable filebeat
Kibana Dashboard #
Open Dashboard #
# Open webinterface
https://elk.jklug.work
Visualize Data #
- Open Discover section
- Visualize data for “Host OS Version”
Links #
# Elastic Search Official Documentation
https://www.elastic.co/guide/en/elasticsearch/reference/8.11/deb.html#deb-repo