The ELK Stack—comprising Elasticsearch, Logstash, and Kibana—represents the industry standard for centralized log analysis, metric monitoring, and data visualization. Deploying this stack on Ubuntu 22.04 requires a rigorous approach to system configuration, security hardening, and service integration. This deployment is not merely an installation task; it is the foundation for robust observability architectures. Whether utilizing the mature 7.x branch or the feature-rich 8.x branch, the underlying infrastructure demands precise configuration to ensure security, performance, and data integrity.
System Prerequisites and Environment Preparation
Before initiating the installation of the ELK Stack, the underlying Ubuntu 22.04 system must meet specific resource and access requirements. A functional deployment requires a minimum of 4 GB of RAM and 20 GB of free disk space to accommodate the Elasticsearch index store and Logstash processing buffers. The system must also have an active internet connection to retrieve packages and keys.
Access control is paramount. Operations must be performed by a non-root user with sudo privileges to adhere to security best practices. This separation of privileges minimizes the risk of accidental system-wide corruption during configuration edits.
For environments utilizing Elastic Stack 8.x, specific hostname and DNS configurations are required to facilitate inter-service communication. The system hostname should be set explicitly:
bash
sudo su -
hostnamectl set-hostname elk.kifarunix-demo.com
If a dedicated DNS server is not available, local DNS records must be manually appended to the hosts file to ensure service discovery works correctly:
bash
echo "192.168.122.149 elk.kifarunix-demo.com elk" >> /etc/hosts
Repository Integration and Package Management
The ELK Stack components are not present in the default Ubuntu apt repositories. To install them, the official Elastic package signing key and repository source must be added manually. This process differs slightly depending on whether you are deploying version 7.x or 8.x.
For Elastic Stack 8.x, the following steps establish the repository integrity:
bash
apt install gnupg2
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /etc/apt/trusted.gpg.d/elastic.gpg
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" > /etc/apt/sources.list.d/elastic-8.x.list
apt update
For Elastic Stack 7.x, the configuration uses a signed-by directive for enhanced security:
bash
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg
echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
Java and Nginx Infrastructure Setup
Elasticsearch is a Java-based application, requiring a compatible JDK. While Logstash and Kibana also rely on Java, installing the default JDK satisfies the runtime requirements for the entire stack.
bash
sudo apt update
sudo apt install default-jdk
java -version
Nginx serves as a reverse proxy and web server, often used to expose Kibana or Elasticsearch API endpoints securely. Installing and configuring the firewall allows HTTP traffic while blocking unauthorized access.
bash
sudo apt update
sudo apt install nginx
sudo ufw app list
sudo ufw allow 'Nginx HTTP'
sudo ufw status
systemctl status nginx
Elasticsearch Configuration and Hardening
Elasticsearch acts as the core data store and search engine. Once installed via sudo apt install elasticsearch, critical configuration changes are required to secure the service. The primary configuration file is elasticsearch.yml, located in /etc/elasticsearch/.
Modifying this YAML file requires strict adherence to indentation rules. A critical security measure involves restricting the network interface. By default, Elasticsearch may listen on all interfaces (0.0.0.0 or *), which exposes sensitive data to the public network. This must be restricted to localhost for local processing or specific internal IPs for production clusters.
bash
sudo nano /etc/elasticsearch/elasticsearch.yml
Locate the network.host parameter and set it to localhost. This ensures the service is only accessible from the local machine, mitigating unauthorized access risks. After saving the configuration, initiate the service:
bash
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
Verification can be performed via curl to ensure the REST API is responsive on port 9200:
bash
curl -X GET "localhost:9200"
Logstash and Kibana Integration
Logstash functions as the data processing pipeline, ingesting logs from various sources and forwarding them to Elasticsearch. Installation follows the same repository mechanism established earlier.
bash
sudo apt install logstash
Kibana provides the visualization layer. It is often used to display logs, metrics, and other types of data collected and indexed by Elasticsearch. It can also include pre-built dashboards for immediate insight generation.
bash
sudo apt install kibana
sudo systemctl start kibana
sudo systemctl enable kibana
Advanced Data Pipeline and Dashboard Configuration
To maximize the utility of the stack, Filebeat is frequently employed as a lightweight shipper to collect system logs. Configuring Filebeat involves setting up ingest pipelines and index templates.
First, load the ingest pipeline for the system module:
bash
sudo filebeat setup --pipelines --modules system
Next, load the index templates. Index templates define mapping settings for new indices. This command disables Logstash output and points directly to Elasticsearch:
bash
sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
Finally, load pre-built Kibana dashboards to visualize Filebeat data. This step configures the output to point to the local Elasticsearch instance and connects to the Kibana interface:
bash
sudo filebeat setup -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601
Activate the Filebeat service to begin data ingestion:
bash
sudo systemctl start filebeat
sudo systemctl enable filebeat
Conclusion
The deployment of the ELK Stack on Ubuntu 22.04 is a multi-layered engineering task that bridges infrastructure configuration with data pipeline management. Success depends on precise repository integration, strict Java dependency resolution, and rigorous network hardening of Elasticsearch. By restricting network.host to localhost and properly configuring Filebeat pipelines and Kibana dashboards, administrators create a secure, scalable observability platform. The distinction between the 7.x and 8.x versions offers flexibility; 8.x introduces default security features like HTTPS and authentication, while 7.x remains a stable, widely supported baseline. Proper implementation ensures that log data is not only collected but transformed into actionable intelligence through Kibana visualizations, supporting efficient troubleshooting and anomaly detection.