Setting up an ELK Stack on AWS

Posted on by lanerjo

ELK Stack – this was a new term to me before I undertook this process, it seems overwhelming the first time you take on a new task.

ELK stands for Elasticsearch, Logstash and Kibana. Elasticsearch is a NoSQL database that allows NRT (near real time) queries. Kibana offers a nice interactive interface for analyzing data contained in the Elasticsearch data. Logstash is the intermediary between Elasticsearch and Kibana.

ELK has a large open source community, making this set of utilities quite popular. There are plenty of guides out there and the documentation is helpful. This article will not cover using an ELK stack in a production evironment, we will be setting up a test stack and getting familiar with the process. However, to set up an ELK stack for a production environment would not need too much changing of this process.

 

Getting Started:

Every component of our ELK stack requires Java. Let’s get busy and start setting up java on an Ubuntu AWS instance via SSH and shell commands. Make sure you have root access: sudo su

Installing Java:

  1. apt-get update
  2. apt-get upgrade
  3. apt-get install openjdk-7-jre-headless

Installing Elasticsearch:

  1. wget qO https://packages.elastic.co/GPGKEYelasticsearch | sudo aptkey add
  2. echo “deb http://packages.elastic.co/elasticsearch/1.7/debian stable main” | sudo tee a /etc/apt/sources.list.d/elasticsearch1.7.list
  3. apt-get update
  4. apt-get install elasticsearch
  5. service elasticsearch restart

Installing Logstash:

  1. echo “deb http://packages.elasticsearch.org/logstash/1.5/debian stable main” | sudo tee a /etc/apt/sources.list
  2. apt-get update
  3. apt-get install logstash
  4. service logstash start

Create config file for logstash:

vi /etc/logstash/conf.d/10-syslog.conf

  1. input {
  2. file {
  3. type => “syslog”
  4. path => [ “/var/log/messages”, “/var/log/*.log” ]
  5. }
  6. }
  7. output {
  8. stdout {
  9. codec => rubydebug
  10. }
  11. elasticsearch {
  12. host => “localhost” # Use the internal IP of your Elasticsearch server
  13. # for production
  14. }
  15. }
  16. :wq

service logstash restart

Kibana Installation:

  1. wget https://download.elastic.co/kibana/kibana/kibana4.1.1linuxx64.tar.gz
  2. tar -xzf kibana-4.1.1-linux-x64.tar.gz
  3. cd /kibana-4.1.1-linux-x64/
  4. mkdir -p /opt/kibana
  5. mv kibana-4.1.1-linux-x64/* /opt/kibana
  6. cd /etc/init.d && sudo wget https://raw.githubusercontent.com/akabdog/scripts/master/kibana4_init O kibana4
  7. chmod +x /etc/init.d/kabana4
  8. service kibana4 start

Testing our installs:

Point your browser to ‘http://YOUR_ELASTIC_IP:5601’ after Kibana is started