How to Set Up the ELK Stack on Ubuntu 24.04

The ELK Stack (Elasticsearch, Logstash, Kibana) is the leading open-source log management and analytics platform. This guide installs ELK Stack 8.x on Ubuntu 24.04 LTS for centralised log collection and analysis.

Tested and valid on:

• Ubuntu 24.04 LTS

Prerequisites

• Ubuntu 24.04 LTS server
• Minimum 4 GB RAM (8 GB recommended)
• Java 21 installed
• A user with sudo privileges

Step 1 – Add the Elastic Repository

Import the GPG key and add the Elastic 8.x repo:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list

Step 2 – Install Elasticsearch

Install and start:

sudo apt update
sudo apt install elasticsearch -y
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch

Note the superuser password from the output.

Step 3 – Install Kibana

Install and start Kibana:

sudo apt install kibana -y
sudo systemctl enable kibana
sudo systemctl start kibana

Step 4 – Configure Kibana

Edit the Kibana config:

sudo nano /etc/kibana/kibana.yml

Set:

server.host: '0.0.0.0'
elasticsearch.hosts: ['https://localhost:9200']

Generate an enrollment token for Kibana:

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

Step 5 – Install Logstash

Install Logstash:

sudo apt install logstash -y
sudo systemctl enable logstash

Step 6 – Create a Logstash Pipeline

Create a sample pipeline configuration:

sudo nano /etc/logstash/conf.d/syslog.conf

Add:

input {
  file {
    path => "/var/log/syslog"
    start_position => "beginning"
  }
}
filter {
  grok {
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{DATA:process}: %{GREEDYDATA:message}" }
  }
}
output {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    user => "elastic"
    password => "YOUR_ELASTIC_PASSWORD"
    ssl_certificate_authorities => ["/etc/elasticsearch/certs/http_ca.crt"]
  }
}

Start Logstash:

sudo systemctl start logstash

Step 7 – Access Kibana

Visit http://your_server_ip:5601 and complete the Kibana setup using the enrollment token from Step 4.

Conclusion

The ELK Stack is now running on Ubuntu 24.04 LTS. Use it to aggregate logs from all your servers, create dashboards, and set up alerts for anomalous activity.