BestHub
Sign in
Operations 18 min read

Master ELK Stack: Step‑by‑Step Installation, Configuration, and Usage Guide

This article provides a comprehensive, step‑by‑step tutorial on installing, configuring, and operating the ELK stack—Elasticsearch, Logstash, and Kibana—including component overviews, system preparation, configuration files, essential Linux commands, and verification procedures for building a scalable log‑management solution.

Raymond Ops
Raymond Ops
Raymond Ops
Master ELK Stack: Step‑by‑Step Installation, Configuration, and Usage Guide

ELK Overview

What is ELK

ELK is a stack composed of Elasticsearch, Logstash, and Kibana, providing a complete enterprise solution for log collection, analysis, and visualization. It offers flexible processing, simple configuration via JSON APIs, high‑performance search, linear scalability, and a rich web UI.

Elasticsearch

Elasticsearch is an open‑source distributed search engine built on Apache Lucene, offering real‑time search, indexing, and storage of data. It supports distributed architecture, zero‑configuration, automatic node discovery, sharding, replication, and a RESTful JSON API.

Real‑time search and analysis

Distributed architecture with real‑time file storage

Document‑oriented

High availability, easy scaling, clustering, sharding and replication

JSON‑friendly API

Logstash

Logstash is a log collection, processing, and forwarding tool. It runs in a client‑server model, gathering logs from clients, filtering and modifying them on the server, then sending the results to Elasticsearch.

Kibana

Kibana provides a web UI for visualizing data stored in Elasticsearch, enabling aggregation, analysis, and search of log data.

ELK Workflow

1. Deploy Logstash on each log‑generating server or a centralized log server. 2. Logstash collects logs, formats them, and outputs to an Elasticsearch cluster. 3. Elasticsearch indexes and stores the formatted data. 4. Kibana queries Elasticsearch and displays charts and dashboards.

ELK Installation and Deployment

ELK installation diagram
ELK installation diagram

Preparation

# systemctl disable --now firewalld
# setenforce 0
# yum -y install java
# hostnamectl set-hostname node1

Install Elasticsearch

Install package

# cd /data
# ls
elasticsearch-6.7.2.rpm ...
# rpm -ivh elasticsearch-6.7.2.rpm
# cd /etc/elasticsearch
# mkdir bak
# cp -a *.yml bak/

Configure elasticsearch.yml

cluster.name: my-elk-cluster
node.name: node1
node.master: true
node.data: true
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 9200
transport.tcp.port: 9300
discovery.zen.ping.unicast.hosts: ["192.168.10.10:9300","192.168.10.20:9300"]

System limits

* soft nofile 65536
* hard nofile 65536
* soft nproc 32000
* hard nproc 32000
* soft memlock unlimited
* hard memlock unlimited

systemd configuration

Adjust /etc/systemd/system.conf to increase DefaultLimitNOFILE, DefaultLimitNPROC, DefaultLimitCORE, etc.

Kernel parameters

vm.max_map_count=262144

Start Elasticsearch

# reboot
# systemctl start elasticsearch.service
# systemctl enable elasticsearch.service
# ss -natp | grep 9200

Verify nodes

Access http://192.168.10.10:9200 and http://192.168.10.20:9200 to view node information and cluster health (status green).

Install Elasticsearch‑head plugin

Elasticsearch‑head requires Node.js and phantomjs. Install Node.js, compile it, then install phantomjs, unzip the plugin, run npm install, enable CORS in elasticsearch.yml, restart Elasticsearch, and start the plugin with npm run start (listening on port 9100).

Deploy Logstash

Install

# yum -y install java
# yum -y install httpd
# systemctl start httpd
# rpm -ivh logstash-6.7.2.rpm
# systemctl enable --now logstash.service
# ln -s /usr/share/logstash/bin/logstash /usr/bin/

Basic usage

Run Logstash with inline configuration:

logstash -e 'input { stdin{} } output { elasticsearch { hosts=>["192.168.10.10:9200","192.168.10.20:9200"] } }'

Configuration file structure

input – defines data sources (e.g., file, kafka, stdin)

filter – processes data (grok, date, mutate, multiline, etc.)

output – sends data to destinations such as Elasticsearch

Example configuration

input {
  file { path => "/var/log/messages" type => "system" start_position => "beginning" }
}
output {
  elasticsearch { hosts => ["192.168.91.100:9200","192.168.91.101:9200"] index => "system-%{+YYYY.MM.dd}" }
}

Install Kibana

Installation

# rpm -ivh kibana-6.7.2-x86_64.rpm

Configure kibana.yml

server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.91.100:9200","http://192.168.91.101:9200"]
kibana.index: ".kibana"
logging.dest: /var/log/k.log
i18n.locale: "zh-CN"

Start Kibana

# systemctl enable --now kibana.service
# ss -nap | grep 5601

Access Kibana via http://192.168.10.30:5601 to view dashboards.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

loggingELKLogstashKibana
Raymond Ops
Written by

Raymond Ops

Linux ops automation, cloud-native, Kubernetes, SRE, DevOps, Python, Golang and related tech discussions.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment