How To Install Elasticsearch, Logstash, and Kibana (Elastic Stack) on Ubuntu 22.04 :sunny: :umbrella_on_ground: :palm_tree:

# How To Install Elasticsearch, Logstash, and Kibana (Elastic Stack) on Ubuntu 22.04 :sunny: :umbrella_on_ground: :palm_tree: ###### tags: `elasticsearch` `kibana` `logstash` `filebeat` `nginx` `elk` `elastic` `rsyslog` ## add repo `curl -fsSL http://mirror.SOME_REPO.io/artifacts.elastic.co/packages/7.x/apt/GPG-KEY-elasticsearch |sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg ` `echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] http://mirror.SOME_REPO.io/artifacts.elastic.co/packages/7.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list` или `echo "deb [trusted=yes] https://mirror.yandex.ru/mirrors/elastic/8/ stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list ` - update apt repo `apt update -y` ## Install ### Elasticsearch - Installing and Configuring the Elasticsearch - install `sudo apt install elasticsearch` - setup `sudo nano /etc/elasticsearch/elasticsearch.yml` ``` . . . # ---------------------------------- Network ----------------------------------- # # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: localhost . . . ``` - turn on and add to autorun `sudo systemctl start elasticsearch` `sudo systemctl enable elasticsearch` - check `curl -X GET "localhost:9200"` ``` { "name" : "elk", "cluster_name" : "elasticsearch", "cluster_uuid" : "fUiWSY5JTV6UuCgzpMZlCw", "version" : { "number" : "7.17.7", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "78dcaaa8cee33438b91eca7f5c7f56a70fec9e80", "build_date" : "2022-10-17T15:29:54.167373105Z", "build_snapshot" : false, "lucene_version" : "8.11.1", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" } ``` - ok ### Kibana - Installing and Configuring the Kibana Dashboard - install `sudo apt install kibana` `sudo systemctl enable kibana` `sudo systemctl start kibana` #### Nginx - install nginx an setup as reverce proxy for kibana `sudo apt install nginx -y` - for disabelng default page delete simlink to default page `cd /etc/nginx/sites-enabled/` `rm default` - create profile for nginx `sudo nano /etc/nginx/sites-available/kibana.hack.me` ``` server { listen 80; server_name kibana.hack.me; auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/htpasswd.users; location / { proxy_pass http://localhost:5601; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } ``` - create simlink `sudo ln -s /etc/nginx/sites-available/kibana.hack.me /etc/nginx/sites-enabled/kibana.hack.me` - start or restart and enable nginx `systemctl start nginx` `systemctl restart nginx` `systemctl enable nginx` - create the administrative Kibana user and password, and store them in the htpasswd.users file ``` echo "kibanaadmin:`openssl passwd -apr1`" | sudo tee -a /etc/nginx/htpasswd.users ``` - URL `http://your_domain/status` should open with your credentional ### Logstash - Installing and Configuring Logstash `sudo apt install logstash` - setup `nano /etc/logstash/conf.d/input.conf` ``` input { beats { port => 5044 } } output { elasticsearch { hosts => ["http://localhost:9200"] index => "%{[@metadata][beat]}-%{[@metadata][version]}" } } ``` - Test your Logstash configuration with this command: `sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t` - if see this - ok `Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash` - check open ports - shoulbe like this: `ss -tunlp` ![](https://i.imgur.com/EbYCY8r.png) ### disable ipv6 - if port 5044 doesn't open disable ipv6 - change `nano /etc/default/grub` - from ``` GRUB_CMDLINE_LINUX_DEFAULT="" GRUB_CMDLINE_LINUX="" ``` - to ``` GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1" GRUB_CMDLINE_LINUX="ipv6.disable=1" ``` `update-grub` - reboot system `reboot` ### Filebeat - Installing and Configuring Filebeat `sudo apt install filebeat` - change `sudo nano /etc/filebeat/filebeat.yml` - from ``` ... #output.elasticsearch: # Array of hosts to connect to. #hosts: ["localhost:9200"] ... ``` - to ``` output.logstash: # The Logstash hosts hosts: ["localhost:5044"] ``` - enable modules `sudo filebeat modules enable system` `sudo filebeat modules enable logstash` - show enable modules `sudo filebeat modules list` - set up the Filebeat ingest pipelines `sudo filebeat setup --pipelines --modules system` - To load the template, use the following command: `sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'` - As the dashboards load, Filebeat connects to Elasticsearch to check version information. To load dashboards when Logstash is enabled, you need to disable the Logstash output and enable Elasticsearch output: `sudo filebeat setup -E output.logstash.enabled=false -E output.elasticsearch.hosts=['localhost:9200'] -E setup.kibana.host=localhost:5601` - start and enable filebeat `sudo systemctl start filebeat` `sudo systemctl enable filebeat` - test filebeat `curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'` ### Links [digitalocean](https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-22-04) [mail](https://mcs.mail.ru/docs/additionals/cases/cases-elk/elk-u18) [testsoft](https://testsoft.net/elasticsearch-install-and-config-on-linux-server/) [elastic](https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html) ## Setup filebeat at remote server [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html) - add repo `curl -fsSL http://mirror.SOME_REPO.io/artifacts.elastic.co/packages/7.x/apt/GPG-KEY-elasticsearch |sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg ` `echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] http://mirror.SOME_REPO.io/artifacts.elastic.co/packages/7.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list` - update apt repo `apt update -y` - install filebeat `sudo apt install filebeat` - change `sudo nano /etc/filebeat/filebeat.yml` - from ``` ... #output.elasticsearch: # Array of hosts to connect to. #hosts: ["localhost:9200"] ... ``` - to ``` output.logstash: # The Logstash hosts hosts: ["yor_Logstash_server_IP:5044"] ``` - If your system does not use systemd then run: `sudo update-rc.d filebeat defaults 95 10` - enable modules `sudo filebeat modules enable system` ### auditd - enable and configure `sudo filebeat modules enable auditd` `sudo filebeat setup --pipelines --modules auditd` `nano /etc/filebeat/modules.d/auditd.yml` ``` - module: auditd log: enabled: true var.paths: ["/var/log/auth.*"] var.input: "file" ``` ### iptables - enable and configure `sudo filebeat modules enable iptables` `vi /etc/filebeat/modules.d/iptables.yml` ``` - module: iptables log: enabled: true var.paths: ["/var/log/iptables.log"] var.input: "file ``` - start or restart Filebeat and enable `sudo systemctl start filebeat` `sudo systemctl enable filebeat` - enother modules [elastic](https://www.elastic.co/guide/en/beats/filebeat/6.4/filebeat-module-nginx.html) ### setup rsyslog for iptables [link](https://serverfault.com/questions/752711/iptables-how-to-log-and-set-a-specific-log-file) `nano /etc/rsyslog.d/10-iptables.conf` ``` :msg,contains,"[iptables]-DROP " /var/log/iptables.log & ~ ``` `systemctl restart rsyslog` ### https proxy ``` server { listen 80 default_server; # if you need ipv6 delete # #listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name kibana.hack.me; auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/htpasswd.users; access_log /var/log/nginx/kibana-ssl-access.log; error_log /var/log/nginx/kibana-ssl-error.log; ssl_certificate /etc/nginx/certificate/kibana.hack.me.cert.pem; ssl_certificate_key /etc/nginx/certificate/kibana.hack.me.key.pem; location / { proxy_pass http://localhost:5601; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; } } ```