ELK Stack Installation

How to Install ELK Stack on Ubuntu 20.04 / 22.04 - Complete Step-by-Step Guide

M.T

3 min read
How to Install ELK Stack on Ubuntu 20.04 / 22.04 - Complete Step-by-Step Guide

Introduction

Data is everything for any business. However, the only way businesses can truly leverage their data is to have the right system to collect, search, and analyze vast amounts of data effortlessly.

The ELK stackElasticsearch, Logstash, and Kibana — brings this capability to your operations. When deployed, the ELK stack is a powerful suite of open-source tools designed for searching, analyzing, and visualizing large volumes of data in real-time.

In this tutorial, we will discuss what the ELK stack is and how to install it on Ubuntu 20.04 and Ubuntu 22.04.

What is ELK Stack?

The ELK stack is a collection of well-known open-source software tools used for log management, data analysis, and visualization.

A traditional ELK Stack is based on three main components:

  • Elasticsearch: A distributed, RESTful search and analytics engine that stores and indexes data. It allows for fast and efficient search and retrieval of information. Developers prefer Elasticsearch because of its support for complex queries and aggregations.
  • Logstash: A data processing pipeline that ingests data from multiple sources simultaneously and prepares it for processing by Elasticsearch. Logstash adds value to the stack by parsing, filtering, and enriching the data.
  • Kibana: A web-based visualization platform that works on top of Elasticsearch. It allows users to interact with the stored data and create dashboards, charts, and graphs to gain insights and identify trends.

The ELK stack is widely used across various industries due to its versatility and features that handle large volumes of data effortlessly. It is commonly implemented for log and event data analysis, security monitoring, general IT operations, and infrastructure monitoring.

Prerequisites for Installing ELK Stack

Before diving in, ensure you have the following:

  • A system running Ubuntu 20.04 / 22.04
  • A user account with sudo or administrative privileges
  • Terminal or command line access
  • Java version 8 or 11 installed

Step #1: Install Dependencies

Since the ELK stack requires Java to function correctly, the first step is to check the installation of Java 8.

To verify the Java version:
java -version

If the output shows 1.8.x_xxx, Java 8 is already installed. If not, install it with:
sudo apt-get install openjdk-8-jdk

Next, install NGINX as a reverse proxy for the Kibana dashboard:
sudo apt-get install nginx

Step #2: Add the Elastic Repository

The ELK Stack components are available through official Elastic repositories. These repositories provide access to the latest packages and updates.

First, import the Elastic GPG key:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Then, install the apt-transport-https package:
sudo apt-get install apt-transport-https

Add the Elastic repository to your system:
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list

Step #3: Install Elasticsearch

Update the system's package repository:
sudo apt-get update

Next, install Elasticsearch:
sudo apt-get install elasticsearch

Configure Elasticsearch by editing the configuration file:
sudo nano /etc/elasticsearch/elasticsearch.yml

Modify the following lines:

network.host: localhost
http.port: 9200
discovery.type: single-node

To optimize the Java Virtual Machine (JVM) heap size, open:
sudo nano /etc/elasticsearch/jvm.options

Adjust the memory settings:

-Xms512m
-Xmx512m

Start and enable Elasticsearch:
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Test the installation:
curl -X GET "localhost:9200"

Step #4: Install Kibana

Install Kibana:
sudo apt-get install kibana

Edit the Kibana configuration:
sudo nano /etc/kibana/kibana.yml

Update the following settings:

server.port: 5601
server.host: "localhost"
elasticsearch.hosts: ["http://localhost:9200"]

Start and enable Kibana:
sudo systemctl start kibana
sudo systemctl enable kibana

Allow access on port 5601:
sudo ufw allow 5601/tcp

Access the Kibana dashboard via a web browser:
http://localhost:5601

Step #5: Install Logstash

Install Logstash:
sudo apt-get install logstash

Start and enable Logstash:
sudo systemctl start logstash
sudo systemctl enable logstash

Step #6: Install Filebeat

Install Filebeat:
sudo apt-get install filebeat

Enable the system module:
sudo filebeat modules enable system

Edit the Filebeat configuration file:
sudo nano /etc/filebeat/filebeat.yml

Set the output:

output.elasticsearch:
hosts: ["localhost:9200"]

Start and enable Filebeat:
sudo systemctl start filebeat
sudo systemctl enable filebeat

Verify the installation:
curl -XGET http://localhost:9200/_cat/indices?v

Conclusion

The ELK Stack is now successfully installed and configured on Ubuntu 20.04 / 22.04. With Elasticsearch for data storage and search, Logstash for data processing, and Kibana for visualization, you have a powerful platform for log management and data analysis.

Ensure that your system is properly secured before exposing the services to the internet. ELK is a highly flexible toolset that can be extended with additional plugins and modules to meet specific needs.

Read more

Threat Hunting Operations: Integrating Proactive Detection into Traditional SOC Workflows

Threat Hunting Operations: Integrating Proactive Detection into Traditional SOC Workflows

In today's rapidly evolving threat landscape, Security Operations Centers (SOCs) face unprecedented challenges in detecting sophisticated threats that routinely bypass traditional security controls. While alert-driven processes remain essential, organizations increasingly recognize that reactive approaches alone are insufficient against advanced persistent threats (APTs), insider threats, and fileless malware. Threat