The Elastic Stack, colloquially known as the ELK stack, represents a powerhouse of three integrated components: Elasticsearch, Logstash, and Kibana. This ecosystem is designed to tackle the immense challenges of modern data management, particularly in environments where IT infrastructure is increasingly shifted to public clouds. As organizations migrate to the cloud, the volume of server logs, application telemetry, and user clickstreams grows exponentially. The ELK stack addresses this by providing a robust search and analytics engine, a flexible data ingestion pipeline, and a sophisticated visualization layer.
At its core, the operational flow of the ELK stack is a linear progression of data transformation. Logstash serves as the ingestion engine, responsible for collecting, transforming, and shipping data to the correct destination. Once the data leaves Logstash, it enters Elasticsearch, which acts as the heart of the system by indexing, analyzing, and providing high-speed search capabilities for the ingested data. Finally, Kibana serves as the window into the data, allowing users to visualize results, create dashboards, and explore analytics through a web-based interface.
The primary utility of this stack extends beyond simple log aggregation. It is a critical tool for Security Information and Event Management (SIEM), observability, and document search. For DevOps engineers and developers, it provides an essential mechanism for failure diagnosis and infrastructure monitoring, enabling them to identify bottlenecks and system crashes at a fraction of the cost of proprietary alternatives. On Amazon Web Services (AWS), users have several paths for deployment: self-managed instances on EC2, orchestrated deployments via Amazon EKS, or the fully managed AWS OpenSearch Service.
Infrastructure Paradigms for ELK Deployment
Depending on the organizational requirement for control versus convenience, AWS offers three distinct architectural paths for deploying the ELK stack.
The first path is the self-managed approach on EC2. This provides maximum control over the kernel, filesystem, and specific versioning of the stack. However, it introduces significant overhead regarding scaling and security compliance. The second path is the orchestrated approach using Amazon Elastic Kubernetes Service (EKS). This utilizes containerization to ensure portability and scalability, typically managed via Terraform and Kubernetes manifests. The third and most streamlined path is the AWS OpenSearch Service (formerly Amazon Elasticsearch Service), which abstracts the underlying infrastructure, providing a managed experience that reduces the operational burden of patching and scaling.
For those moving from a self-managed environment to a specialized cloud offering, migrating to Elastic Cloud on AWS is a viable strategy. This migration shifts the responsibility of provisioning infrastructure, managing clusters, scaling, and taking snapshots to the service provider, allowing the technical team to focus on data analysis rather than server maintenance.
Hardware and Resource Specifications
When deploying the ELK stack on EC2 or within a Kubernetes environment, adhering to minimum hardware specifications is critical to prevent cluster instability and "out of memory" (OOM) kills.
The following table details the minimum recommended instance types and resource allocations for each component:
| Component | Instance Type | Minimum vCPU | Minimum Memory |
|---|---|---|---|
| Elasticsearch | t3.medium or higher | 2 | 8 GB |
| Logstash | t3.medium or higher | 2 | 4 GB |
| Kibana | t3.small or higher | 1 | 2 GB |
| Filebeat Agents | t2.micro or higher | 1 | 1 GB |
Beyond compute resources, the storage layer must be optimized for high I/O operations, particularly for Elasticsearch, which performs frequent disk writes during indexing.
| Component | Disk Type | Minimum Storage |
|---|---|---|
| Elasticsearch | SSD (gp3) | 50 GB |
| Logstash | SSD (gp3) | 10 GB |
| Kibana | General HDD | 10 GB |
Network Configuration and Security Grouping
A secure ELK deployment requires a meticulously planned Virtual Private Cloud (VPC) architecture. The VPC must be configured with DNS hostnames enabled to ensure that the components can communicate via predictable endpoints. The network should be divided into public and private subnets; for instance, Kibana may reside in a public subnet (accessible via a LoadBalancer) while Elasticsearch and Logstash remain in private subnets to prevent direct exposure to the internet.
An Internet Gateway (IGW) must be attached to the VPC to allow outbound traffic for updates and inbound traffic for the dashboard. Furthermore, security groups must be configured to permit traffic only on specific ports.
The following table outlines the mandatory network ports for the ELK ecosystem:
| Service | Protocol | Port |
|---|---|---|
| Elasticsearch | HTTP/HTTPS | 9200 |
| Kibana | HTTP | 5601 |
| Logstash | TCP/UDP | 5044 |
| Filebeat | Outbound HTTP | 9200 |
Orchestrated Deployment via Amazon EKS and Terraform
For enterprise-grade scalability, deploying the ELK stack on Amazon EKS allows for dynamic resource management. This process requires a specific set of tools and a precise execution order.
The prerequisite toolchain includes:
- AWS CLI: Used for interacting with AWS services and managing credentials.
- kubectl: The primary command-line tool for managing Kubernetes clusters.
- Helm: Essential for deploying pre-packaged Kubernetes applications.
- Terraform: Used to provision the underlying AWS infrastructure as code.
- eksctl: A CLI tool designed specifically for creating and managing EKS clusters.
The deployment process begins with the infrastructure layer. A custom VPC module is used to provision subnets and networking components, followed by an EKS module that creates the cluster, managed node groups, and IAM roles. Encryption of volume data is handled via KMS keys.
The execution sequence for the infrastructure is as follows:
bash
cd terraform
terraform init
terraform plan -var-file="terraform.tfvars" --out planfile
terraform apply planfile
Once the cluster is live, the software stack is deployed. This includes a multi-node Elasticsearch cluster with persistent storage and a Logstash instance configured to ship logs. Kibana is deployed and exposed via an external IP through a Kubernetes LoadBalancer service.
Advanced Logstash Configuration and Data Ingestion
Logstash is the primary engine for data transformation. In a Kubernetes environment, customized configurations are applied using ConfigMaps. For example, to apply a specific Logstash configuration, the following commands are used:
bash
kubectl apply -f elk-k8s/elasticsearch/logstash-configmap.yaml
kubectl apply -f elk-k8s/elasticsearch/logstash-deployment.yaml
A common challenge in Kubernetes is transferring local data files (such as tickets.json) from a bastion host to a pod volume. This is achieved by using a temporary pvc-busybox pod to act as a bridge.
The process for data transfer is as follows:
bash
kubectl apply -f pvc-busybox.yaml
kubectl cp tickets.json pvc-busybox:/mnt/logstash/tickets.json -n bi-elk
Once this operation is complete, the data becomes available to the Logstash pod at the path /usr/share/logstash/tickets/. Technical operators must monitor the Logstash logs to ensure the file is parsed correctly. If the parsing is successful, Logstash pushes the data to Elasticsearch, and the index is built within a few minutes.
Implementing AWS OpenSearch Service
As an alternative to self-managed EKS or EC2 deployments, AWS OpenSearch Service provides a fully managed environment. This removes the need for manual server patching and cluster scaling. However, it requires specific IAM configurations to ensure secure access.
An IAM role must be created for the domain with the following attributes:
- User:
elastic-master-user - Policies:
AmazonESFullAccessandOpensearchAccess - Console access: Disabled
To grant specific programmatic access to the OpenSearch domain, the following IAM policy must be applied:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut",
"es:ESHttpDelete"
],
"Resource": "arn:aws:es:<Your-Region>:<Your-Account>:<Your-Domain>>*"
}
]
}
Because AWS OpenSearch uses IAM-based access and AWS Signature Version 4 (SigV4) for authentication, standard browser requests to the dashboard will fail without a signing mechanism. To resolve this, users must install the AWS Signer Browser extension for Chrome or Firefox. The extension must be configured with the AWS Access Key and Secret Key of the IAM user. Only after the extension signs the requests can the OpenSearch dashboard be accessed.
Operational Maintenance and Decommissioning
Maintaining the ELK stack requires constant monitoring of connectivity and storage. It is imperative to verify that Kibana and Elasticsearch are deployed within the same namespace to avoid network latency or firewall blocks. Furthermore, administrators must ensure that EBS volumes are correctly bound to the persistent volume claims (PVCs) of Elasticsearch and Logstash to prevent data loss during pod restarts.
When the environment is no longer needed, a systematic cleanup is required to avoid ongoing costs. The decommission sequence involves:
- Deleting PVCs (Persistent Volume Claims) and PVs (Persistent Volumes).
- Removing custom resources, namespaces, and applications.
- Deleting managed node groups and any associated add-ons.
- Cleaning up networking components and any provisioned LoadBalancers.
- Final deletion of the EKS Cluster.
Comprehensive Analysis of ELK Architectural Choices
The decision between self-managed ELK and AWS OpenSearch Service hinges on the trade-off between operational overhead and granular control.
Self-managed deployments (EC2/EKS) are ideal for organizations with highly specialized requirements, such as custom plugins for Logstash or specific versions of Elasticsearch that are not yet supported by managed services. However, the burden of managing the "blast radius" of a cluster failure, handling snapshots, and manually scaling the heap size of the JVM is significant.
In contrast, AWS OpenSearch Service and Elastic Cloud on AWS shift the operational burden to the provider. The migration from on-premises Elasticsearch 7.13 to Elastic Cloud, for example, automates the provisioning of underlying infrastructure and the management of cluster upgrades. This is particularly beneficial for organizations that lack a dedicated DevOps team to manage the nuances of Lucene indexing and shard allocation.
The integration of Filebeat further enhances this architecture. By installing Filebeat agents on application servers (minimum t2.micro), logs are shipped in a lightweight manner to Logstash or directly to Elasticsearch, reducing the resource footprint on the production application servers. This creates a decoupled architecture where the collection of data (Filebeat) is separated from the processing of data (Logstash) and the storage of data (Elasticsearch).