Elasticsearch ELK Stack Installation

Logstash

Logstash is a tool for receiving, processing and outputting logs. All kinds of logs. System logs, webserver logs, error logs, application logs, and just about anything you can throw at it. Sounds great, eh?

Logstash provides a powerful pipeline for storing, querying, and analyzing your logs. When using Elasticsearch as a backend data store and Kibana as a front-end reporting tool, Logstash acts as the workhorse. It includes an arsenal of built-in inputs, filters, codecs, and outputs, enabling you to harness some powerful functionality with a small amount of effort.

Elasticsearch

Elasticsearch is a search server based on Lucene. It provides a distributed, multitenant-capable full-text search engine with a RESTful web interface and schema-free JSON documents. Elasticsearch is developed in Java and is released as open source under the terms of the Apache License. Elasticsearch is the second most popular enterprise search engine. It can be used to search all kinds of documents. It provides scalable search, has near real-time search, and supports multitenancy.

Kibana

Kibana is an open source analytics and visualization platform designed to work with Elasticsearch. You use Kibana to search, view, and interact with data stored in Elasticsearch indices. You can easily perform advanced data analysis and visualize your data in a variety of charts, tables, and maps.

Kibana makes it easy to understand large volumes of data. Its simple, browser-based interface enables you to quickly create and share dynamic dashboards that display changes to Elasticsearch queries in real time.

I have install ELK, the main components - Elasticsearch 1.7.0, Logstash 1.5.4 and and Kibana 4.1.1 on Ubuntu 14.04 LTS Server Edition. Storage Nginx access log into Elasticsearch with Logstash and setup browser-based dynamic interface with Kibana.

Install Java 8

Elasticsearch and Logstash require Java, so we will install that now. We will install Oracle Java 8 (update 20 or later) because that is what Elasticsearch recommends. It should, however, work fine with OpenJDK, if we decide to go that route.

  • Method 1

Add the Oracle Java PPA to apt:

$ sudo add-apt-repository -y ppa:webupd8team/java

Update my apt package database:

$ sudo apt-get update

Install the latest stable version of Oracle Java 8 with this command (and accept the license agreement that pops up):

$ sudo apt-get -y install oracle-java8-installer

Now that Java 8 is installed, let's install ElasticSearch.

  • Method 2

Download Java SE from Oracle official website

I have download jdk-8u60-linux-x64.tar.gz. Create directory

$ sudo mkdir /usr/lib/jvm

Unzip to install directory

$ sudo tar -zxvf jdk-8* -C /usr/lib/jvm

Setup environment variable

$ sudo vim ~/.bashrc

Append following code

# Set Oracle JDK environment
export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_60
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH

Setup default JDK version of system

$ sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/jdk1.8.0_60/bin/java 300
$ sudo update-alternatives --install /usr/bin/javac javac /usr/lib/jvm/jdk1.8.0_60/bin/javac 300
$ sudo update-alternatives --install /usr/bin/jar jar /usr/lib/jvm/jdk1.8.0_60/bin/jar 300
$ sudo update-alternatives --install /usr/bin/javah javah /usr/lib/jvm/jdk1.8.0_60/bin/javah 300
$ sudo update-alternatives --install /usr/bin/javap javap /usr/lib/jvm/jdk1.8.0_60/bin/javap 300
$ sudo update-alternatives --config java

Test installation

$ java -version

Install Elasticsearch

Install Elasticsearch please reference the post Elasticsearch Cluster on Ubuntu

After install edit the configuration

$ sudo vim /etc/elasticsearch/elasticsearch.yml

To restrict outside access to my Elasticsearch instance (port 9200), so outsiders can't read my data or shutdown my Elasticsearch cluster through the HTTP API. Find the line that specifies network.host, uncomment it, and replace its value with IP address so it looks like this:

network.host: 192.168.171.129

Save and exit elasticsearch.yml.

Now restart Elasticsearch:

$ sudo service elasticsearch restart

Then run the following command to start Elasticsearch on boot up:

$ sudo update-rc.d elasticsearch defaults 95 10

Now that Elasticsearch is up and running, let's install Kibana.

Install Kibana

Download Kibana 4 to our home directory with the following command:

$ cd ~; wget https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz

Extract Kibana archive with tar:

$ tar xvf kibana-*.tar.gz

Open the Kibana configuration file for editing:

$ vim ~/kibana-4*/config/kibana.yml

In the Kibana configuration file, find the line that specifies host, and replace the IP address (0.0.0.0 by default) with real IP address:

host: "192.168.171.129"

Save and exit. This setting makes it so Kibana will only be accessible to the IP address. This is fine because we will use an Nginx reverse proxy to allow external access.

Let's copy the Kibana files to a more appropriate location. Create the /opt directory with the following command:

$ sudo mkdir -p /opt/kibana

Now copy the Kibana files into my newly-created directory:

$ sudo cp -R ~/kibana-4*/* /opt/kibana/

Kibana can be started by running /opt/kibana/bin/kibana, but we want it to run as a service. Download a Kibana init script with this command:

$ cd /etc/init.d && sudo wget https://raw.githubusercontent.com/akabdog/scripts/master/kibana4_init && sudo mv kibana4_init kibana4

Now enable the Kibana service, and start it:

$ sudo chmod +x /etc/init.d/kibana4
$ sudo update-rc.d kibana4 defaults 96 9
$ sudo service kibana4 start

Before we can use the Kibana web interface, we have to set up a reverse proxy. Let's do that now, with Nginx.

Use apt to install Nginx

$ sudo apt-get install nginx

Now open the Nginx default server block in my favorite editor.

$ sudo vim /etc/nginx/sites-available/default

Delete the file's contents, and paste the following code block into the file. Be sure to update the server_name to match my server's name:

server {
    listen 80;

    server_name example.com;
    access_log  /var/log/nginx/kibana.myhost.org.access.log;

}

Install Logstash

Create the Logstash source list

$ echo 'deb http://packages.elasticsearch.org/logstash/1.5/debian stable main' | sudo tee /etc/apt/sources.list.d/logstash.list

Update our apt package database:

$ sudo apt-get update

Install Logstash with this command:

$ sudo apt-get install logstash

Logstash is installed but it is not configured yet.

Configure Logstash

Logstash configuration files are in the JSON-format, and reside in /etc/logstash/conf.d. The configuration consists of three sections: inputs, filters, and outputs.

Let's create a configuration file called logstash-sample.conf

$ sudo vim /etc/logstash/conf.d/logstash-sample.conf

Insert the following input configuration

input {
    file {
        #type => "nginx_access"
        codec => "json"
        path  => ["/var/log/nginx/kibana.myhost.org.access.log"]
    }
}
output {
    elasticsearch {
        embedded => false
        protocol => "http"
        host     => "192.168.171.129"
        port     => 9200
    }
}

Now, start Logstash to put our configuration changes into effect:

$ nohup /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-sample.conf &

In a web browser, visit public IP address on 5601 port (http://192.168.171.129:5601)

Elasticsearch ELK Stack Installation

Go ahead and select @timestamp from the dropdown menu, then click the Create button to create the first index.

Now click the Discover link in the top navigation bar. By default, this will show you all of the log data over the last 15 minutes. We should see a histogram with log events, with log messages below:

Elasticsearch ELK Stack Installation

Elasticsearch Browser

Elasticsearch ELK Stack Installation

Now that my Nginx access logs are centralized via Elasticsearch and Logstash, and I'm able to visualize them with Kibana 4.

Reference Article How To Install Elasticsearch, Logstash, and Kibana 4 on Ubuntu 14.04

Elasticsearch ELK Stack Installation
76 votes, 4.16 avg. rating (83% score)