Skip to main content

ELK Stack: Bare-Metal Deployment

1111 words·
ELK Stack Elasticsearch Kibana Logstash Filebeat Nginx
Table of Contents

Prerequisites
#

For this tutorial I use two Ubuntu 22.04 servers.

# ELK server
192.168.30-90 ubuntu

# Monitoring host
192.168.30-90 elkhost1

ELK Stack
#

Elasticsearch
#

Installation
#

# Download and install the public signing key
sudo wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg

# Save the repository definition to /etc/apt/sources.list.d/elastic-8.x.list
sudo echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

# Update package index & install Elastic Search
sudo apt update && sudo apt install elasticsearch

Configuration
#

# Open configuration file
sudo vi /etc/elasticsearch/elasticsearch.yml
  • Connection from: Only localhost
# Network host: Make Elastic Search only available from the same host
network.host: localhost

# Default port: First available port starting with 9200
http.port: 9200

# Define master node
cluster.initial_master_nodes: ["node-1"]
  • Connection from: Anywhere
# Network host: Make Elastic search available from every host on the network (For testing purposes)
network.host: 0.0.0.0

# Default port: First available port starting with 9200
http.port: 9200

# Define master node
cluster.initial_master_nodes: ["node-1"]
  • Default paths
# Default data path
path.data: /var/lib/elasticsearch

# Default log path
path.logs: /var/log/elasticsearch

Start & Enable
#

# Reload the systemd configuration files
sudo systemctl daemon-reload

# Enable service autostart
sudo systemctl enable elasticsearch

# Start service
sudo systemctl start elasticsearch

# Check status
sudo systemctl status elasticsearch

# Check log
sudo cat /var/log/elasticsearch/elasticsearch.log

Testing
#

# From localhost
curl -X GET 'http://localhost:9200'

# From other host
http://192.168.30.90:9200

Kibana
#

Installation
#

# Install Kibana
sudo apt install kibana

# Start Kibana Dashboard
sudo systemctl start kibana

# Check status
sudo systemctl status kibana

# Check logs
sudo tail /var/log/kibana/kibana.log

# Enable service
sudo systemctl enable kibana

Configuration
#

# Open configuration
sudo vi /etc/kibana/kibana.yml

# Define server name: Same as Nginx
server.publicBaseUrl: "https://elk.jklug.work"

Certbot
#

# Install Certbot
sudo apt install certbot -y

# Create certificate
sudo certbot certonly --standalone -d elk.jklug.work

Create User
#

  • Optional: Create user for restricted Nginx access
# Create "Admin" user, prompt for pw, encrypt pw with apr1 encryption
echo "Admin:`openssl passwd -apr1`" | sudo tee -a /etc/nginx/htpasswd.users

Nginx
#

# Install nginx
sudo apt install nginx -y

# Copy default config
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/elk.jklug.work
# Edit config
sudo vi /etc/nginx/sites-available/elk.jklug.work

# elk.jklug.work
server {
    listen 443 ssl;
    server_name elk.jklug.work;

    ssl_certificate         /etc/letsencrypt/live/elk.jklug.work/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/elk.jklug.work/privkey.pem;


    auth_basic "Please authenticate"; # Define text for user & pw prompt
    auth_basic_user_file /etc/nginx/htpasswd.users;  # Define path to pw file

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
# Test configuration
sudo nginx -t

# Disable default configuration
sudo rm /etc/nginx/sites-enabled/default

# Enable config
sudo ln -s /etc/nginx/sites-available/elk.jklug.work /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

# Check status
sudo systemctl status nginx

# Check logs
sudo tail /var/log/nginx/error.log

Webinterface
#

# Open webinterface
elk.jklug.work/status

Logstash
#

Logstash is used to process the collected data, transform it into a common format and export it into the Elasticsearch database.

Installation
#

# Install Open Java Development Kit
sudo apt install default-jre -y

# Install Logstash
sudo apt install logstash

Configuration
#

# Create input configuration: Filebeat input
sudo vi /etc/logstash/conf.d/02-beats-input.conf

# /etc/logstash/conf.d/02-beats-input.conf
input {
  beats {
    port => 5044
  }
}
# Create output configuration: Store Filebeat data in Elasticsearch
sudo vi /etc/logstash/conf.d/30-elasticsearch-output.conf

# /etc/logstash/conf.d/30-elasticsearch-output.conf
output {
  if [@metadata][pipeline] {
	elasticsearch {
  	hosts => ["localhost:9200"]
  	manage_template => false
  	index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  	pipeline => "%{[@metadata][pipeline]}"
	}
  } else {
	elasticsearch {
  	hosts => ["localhost:9200"]
  	manage_template => false
  	index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
	}
  }
}
# Test configuration
sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t

Start & Enable
#

# Start Logstash
sudo systemctl start logstash

# Check status
sudo systemctl status logstash

# Check log
sudo tail /var/log/logstash/logstash-plain.log

# Enable Logstash
sudo systemctl enable logstash

Filebeat Localhost
#

Installation
#

# Install Filebeat
sudo apt install filebeat

Open Configuration
#

# Open configuration
sudo vi /etc/filebeat/filebeat.yml

Configuration: Elasticsearch
#

Filebeat will not need to send data directly to Elasticsearch.

  • Comment out the following section:
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]
  • Should look like this
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

Configuration: Logstash
#

Configure Filebeat to connect to Logstash.

  • Uncomment the following section:
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]
  • Should look like this
# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]

Enable Modules
#

# List enabled & disbaled modules
sudo filebeat modules list
  • Enable system module
# Enable system module: Collect logs from system log
sudo filebeat modules enable system

# Check system module setting: Leave by default
sudo vi /etc/filebeat/modules.d/system.yml

Initial Filebeat Setup
#

# Perform initial Filebeat setup
sudo filebeat setup --pipelines --modules system

# Load the index template into Elasticsearch
sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

# Initial setup: Disable the Logstash output and enable Elasticsearch output
sudo filebeat setup -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601

Start & Enable
#

# Start Filebeat
sudo systemctl start filebeat

# Check status
sudo systemctl status filebeat

# Check logs
sudo cat /var/log/filebeat/filebeat

# Enable service
sudo systemctl enable filebeat

Filebeat Other Hosts
#

Installation
#

# Download and install the public signing key
sudo wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg

# Save the repository definition to /etc/apt/sources.list.d/elastic-8.x.list
sudo echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

# Update package index & install Filebeat
sudo apt update && sudo apt install filebeat

Open Configuration
#

# Open configuration
sudo vi /etc/filebeat/filebeat.yml

Configuration: Elasticsearch
#

Filebeat will not need to send data directly to Elasticsearch.

  • Comment out the following section:
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]
  • Should look like this
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

Configuration: Logstash
#

Configure Filebeat to connect to Logstash.

  • Uncomment the following section:
# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]
  • Define IP to Logstash server
  • Should look like this
# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.30.90:5044"]

Enable Modules
#

  • Enable system module
# Enable system module: Collect logs from system log
sudo filebeat modules enable system

# Check system module setting: Leave by default
sudo vi /etc/filebeat/modules.d/system.yml

Start & Enable
#

# Start Filebeat
sudo systemctl start filebeat

# Check status
sudo systemctl status filebeat

# Check logs
sudo cat /var/log/filebeat/filebeat

# Enable service
sudo systemctl enable filebeat

Kibana Dashboard
#

Open Dashboard
#

# Open webinterface
https://elk.jklug.work

Visualize Data
#

  • Open Discover section
  • Visualize data for “Host OS Version”

Links #

# Elastic Search Official Documentation
https://www.elastic.co/guide/en/elasticsearch/reference/8.11/deb.html#deb-repo