How to seutp ELK Stack for Logs Monitoring on Ubuntu 22.04

Introduction

The ELK Stack (Elasticsearch, Logstash, Kibana) is one of the most popular open-source tools for log monitoring and analysis. It helps administrators collect, search, analyze, and visualize logs from multiple servers in one place. This makes it easier to troubleshoot issues, monitor security, and generate reports.

Benefits of ELK for Logs Monitoring

• Centralized Logs: Collect logs from multiple servers in one location.
• Fast Search: Elasticsearch indexes logs for quick searching.
• Visualization: Kibana provides dashboards and graphs for better understanding.
• Troubleshooting: Quickly detect system errors and application issues.
• Security: Helps in analyzing suspicious activity across servers.
• Scalability: Can handle huge amounts of logs in production.

Step 1: Update System

sudo apt update && sudo apt upgrade -y

Step 2: Install Elasticsearch

Download and install Elasticsearch:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update
sudo apt install -y elasticsearch

Edit config file /etc/elasticsearch/elasticsearch.yml:

network.host: 0.0.0.0
discovery.type: single-node

Enable and start service:

sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch

Test Elasticsearch:

curl -X GET "localhost:9200/"

Step 3: Install Logstash

sudo apt install -y logstash

Create a simple Logstash config /etc/logstash/conf.d/syslog.conf:

input {
  file {
    path => "/var/log/syslog"
    type => "syslog"
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
  }
  stdout { codec => rubydebug }
}

Start service:

sudo systemctl enable logstash
sudo systemctl start logstash

Step 4: Install Kibana

sudo apt install -y kibana

Edit config file /etc/kibana/kibana.yml:

server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]

Start Kibana:

sudo systemctl enable kibana
sudo systemctl start kibana

Access Kibana at: http://server-ip:5601

Step 5: Send Logs from Other Servers

Install Filebeat on a remote server to forward logs:

sudo apt install -y filebeat

Edit /etc/filebeat/filebeat.yml and set Logstash as output:

output.logstash:
  hosts: ["elk-server-ip:5044"]

Enable and start Filebeat:

sudo systemctl enable filebeat
sudo systemctl start filebeat

Step 6: Practical Steps for Students

• Check Elasticsearch health: curl -X GET "localhost:9200/_cluster/health?pretty"
• Check if Logstash is processing logs: sudo journalctl -u logstash
• Check Filebeat logs: sudo tail -f /var/log/filebeat/filebeat
• Search logs in Kibana → Discover tab.
• Create simple dashboards in Kibana (e.g., login attempts, errors).

Tips & Tricks for Interview

• Q: What is the role of Elasticsearch in ELK? A: Stores and indexes logs for fast searching.
• Q: How does Logstash differ from Filebeat? A: Logstash processes and filters logs, Filebeat only forwards them.
• Q: Which port does Kibana use by default? A: Port 5601.
• Q: How do you check if Elasticsearch is running? A: curl -X GET "localhost:9200/"
• Q: What are common use cases of ELK? A: Centralized logging, troubleshooting, security monitoring, SIEM.

Conclusion

We successfully set up the ELK stack (Elasticsearch, Logstash, Kibana) on Ubuntu 22.04. We also added Filebeat to send logs from other servers. Now all system and application logs are centralized and can be searched and visualized in Kibana. ELK is widely used in production environments and is a must-learn skill for Linux and DevOps engineers.