How to Set Up the ELK Stack on Ubuntu 26.04

The ELK Stack (Elasticsearch, Logstash, Kibana) is a powerful log management and analytics platform. Elasticsearch stores and indexes logs, Logstash collects and transforms them, and Kibana provides visualisation dashboards. This guide installs the ELK stack on Ubuntu 26.04 LTS.

Tested and valid on:

• Ubuntu 26.04 LTS

Prerequisites

• Ubuntu 26.04 LTS with at least 4 GB RAM and 2 CPUs
• Java 21 installed
• A user with sudo privileges

Step 1 – Add the Elastic Repository

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | 
  gpg --dearmor | sudo tee /usr/share/keyrings/elasticsearch-keyring.gpg > /dev/null
echo 'deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main' | 
  sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update

Step 2 – Install Elasticsearch

sudo apt install elasticsearch -y
sudo nano /etc/elasticsearch/elasticsearch.yml

Set:

network.host: localhost
http.port: 9200

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Step 3 – Install Kibana

sudo apt install kibana -y
sudo nano /etc/kibana/kibana.yml

Set:

server.port: 5601
server.host: 'localhost'
elasticsearch.hosts: ['http://localhost:9200']

sudo systemctl start kibana
sudo systemctl enable kibana

Step 4 – Install Logstash

sudo apt install logstash -y

Step 5 – Create a Logstash Pipeline

sudo nano /etc/logstash/conf.d/syslog.conf

Add:

input {
  file {
    path => '/var/log/syslog'
    type => 'syslog'
    start_position => 'beginning'
  }
}
filter {
  grok {
    match => { 'message' => '%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{WORD:program}: %{GREEDYDATA:msg}' }
  }
}
output {
  elasticsearch {
    hosts => ['http://localhost:9200']
    index => 'syslog-%{+YYYY.MM.dd}'
  }
}

sudo systemctl start logstash
sudo systemctl enable logstash

Step 6 – Configure Nginx Proxy for Kibana

sudo nano /etc/nginx/sites-available/kibana

Add:

server {
    listen 80;
    server_name kibana.example.com;
    location / {
        proxy_pass http://localhost:5601;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

sudo ln -s /etc/nginx/sites-available/kibana /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx

Step 7 – Access Kibana

Visit http://kibana.example.com and complete the setup wizard. Create index patterns matching your Logstash indices to start visualising logs.

Conclusion

The ELK Stack is running on Ubuntu 26.04 LTS. Expand it with Beats (Filebeat, Metricbeat) for lightweight data shippers, and use Kibana Lens for drag-and-drop visualisation creation.