Back to Blog
DevOpsELK StackMonitoring & ObservabilityTutorial

Centralized Logging with the ELK Stack (Elasticsearch, Logstash, Kibana)

Complete DevOps tutorial on ELK Stack. Learn Logstash pipelines, Elasticsearch indexing, Kibana queries (KQL), Filebeat.

Daniel Urbano
October 26, 2025
8 min read
Centralized Logging with the ELK Stack (Elasticsearch, Logstash, Kibana)

Centralized Logging with the ELK Stack (Elasticsearch, Logstash, Kibana)

Introduction

In today’s complex digital landscape, managing application logs and system events is crucial for maintaining the health and performance of services. The ELK Stack, consisting of Elasticsearch, Logstash, and Kibana, provides a powerful solution for centralized logging and observability. By aggregating logs from various sources, the ELK Stack enables organizations to efficiently search, analyze, and visualize their data, leading to improved troubleshooting, performance monitoring, and security analysis.

This tutorial will guide you through setting up a centralized logging system using the ELK Stack. We will cover how to configure Logstash pipelines for data ingestion, how to index logs in Elasticsearch, and how to create visualizations and queries in Kibana. By the end of this tutorial, you will have a comprehensive understanding of how the ELK Stack can enhance observability in your applications and infrastructure.

Prerequisites

Before you begin, ensure you have the following:

  • Java 8 or later: Required for running Elasticsearch and Logstash.
  • Docker: For running the ELK Stack components in containers (optional but recommended).
  • Basic Knowledge of JSON: Familiarity with JSON format is beneficial for configuring Logstash and Elasticsearch.
  • Command Line Tools: Access to a terminal or command prompt.

Core Concepts

Definitions

  • Elasticsearch: A distributed, RESTful search and analytics engine that stores logs and provides search capabilities.
  • Logstash: A data processing pipeline that ingests logs from various sources, transforms them, and sends them to Elasticsearch.
  • Kibana: A visualization tool that allows users to interact with and explore data stored in Elasticsearch.

Architecture

The ELK Stack architecture consists of three primary components:

  1. Logstash: Collects data from various sources (e.g., applications, servers) through input plugins, processes the data using filters, and sends it to Elasticsearch.
  2. Elasticsearch: Stores and indexes log data, enabling fast search and analytics.
  3. Kibana: Provides a user interface for visualizing and querying log data stored in Elasticsearch.

When to Use

The ELK Stack is particularly useful when:

  • You need centralized logging across multiple services and applications.
  • You want to analyze large volumes of log data in real-time.
  • You require powerful search capabilities and visualizations to gain insights from your logs.

Limitations

  • The ELK Stack may require significant resources for large-scale deployments.
  • Real-time analysis can be limited by the ingestion rate and processing capabilities.
  • Managing Elasticsearch indices over time is essential to avoid performance degradation.

Pricing Notes

The ELK Stack itself is open-source and free to use; however, managed services (e.g., Elastic Cloud) may incur costs based on usage, storage, and additional features.

Syntax/Configuration

Logstash Configuration

Logstash configuration files are typically split into three sections: input, filter, and output. Here’s a basic example:

input {
  file {
    path => "/var/log/myapp/*.log"
    start_position => "beginning"
  }
}

filter {
  json {
    source => "message"
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "myapp-%{+YYYY.MM.dd}"
  }
}

Parameter Table

Parameter Description
input Specifies the source of log data.
filter Defines transformations to apply to the data.
output Specifies where to send processed data.

Practical Examples

Example 1: Setting Up Elasticsearch with Docker

To quickly set up Elasticsearch using Docker, run the following command:

docker run -d --name elasticsearch -p 9200:9200 -e "discovery.type=single-node" elasticsearch:7.10.0

Example 2: Setting Up Logstash with Docker

Run Logstash in a Docker container using the following command:

docker run -d --name logstash -p 5044:5044 -v $PWD/logstash.conf:/usr/share/logstash/pipeline/logstash.conf logstash:7.10.0

Example 3: Basic Logstash Pipeline

Create a simple Logstash pipeline to read JSON log files:

input {
  file {
    path => "/path/to/logs/*.json"
    start_position => "beginning"
    sincedb_path => "/dev/null"  # Disable sincedb
  }
}

filter {
  mutate { 
    remove_field => ["path", "host"] 
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "json-logs-%{+YYYY.MM.dd}"
  }
}

Example 4: Filebeat as a Log Shipper

Filebeat can be used to ship logs to Logstash. Install Filebeat and configure it as follows:

filebeat.inputs:
- type: log
  paths:
    - /var/log/myapp/*.log

output.logstash:
  hosts: ["localhost:5044"]

Example 5: Running Filebeat

Start Filebeat to begin shipping logs:

filebeat -e -c /etc/filebeat/filebeat.yml

Example 6: Kibana Dashboard Creation

Once logs are ingested into Elasticsearch, you can create visualizations in Kibana. Start Kibana with Docker:

docker run -d --name kibana -p 5601:5601 --link elasticsearch:elasticsearch kibana:7.10.0

Access Kibana at http://localhost:5601 and create a new index pattern for json-logs-*.

Example 7: KQL Queries in Kibana

Use Kibana Query Language (KQL) to filter logs. For example, to find error logs:

level: "error"

Example 8: Setting Up Alerts in Kibana

You can set up alerts in Kibana to notify you of critical log events. Go to the Alerts and Actions section and create a new alert based on a query.

Real-World Scenarios

Scenario 1: Application Monitoring

In a microservices architecture, each service generates logs. Use the ELK Stack to aggregate these logs for centralized monitoring. This allows you to quickly identify issues across services.

Scenario 2: Security Auditing

Leverage the ELK Stack to monitor security logs from firewalls, intrusion detection systems, and applications. By analyzing logs, you can detect anomalies and potential security threats.

Scenario 3: Performance Analysis

Utilize the ELK Stack to analyze application performance logs. By visualizing request rates, response times, and error rates, you can gain insights into performance bottlenecks and optimize your applications accordingly.

Best Practices

  1. Use Index Lifecycle Management (ILM): Set up ILM policies to manage indices automatically, optimizing storage and performance. ✅
  2. Secure Your Stack: Implement security measures such as HTTPS, authentication, and role-based access control. 🔒
  3. Optimize Log Formatting: Use structured logging formats (e.g., JSON) to enhance the parsing and indexing process. 💡
  4. Monitor Resource Usage: Keep an eye on resource consumption for Elasticsearch and Logstash to avoid performance degradation. 📈
  5. Regularly Review Data Retention Policies: Define how long to retain log data based on compliance and operational needs. ⚠️

Common Errors

Error 1: Elasticsearch cluster is not available

Cause: Elasticsearch is not running or is misconfigured.

Fix: Ensure that the Elasticsearch service is running and accessible.

Error 2: Logstash failed to connect to Elasticsearch

Cause: Incorrect Elasticsearch host configuration in the Logstash output section.

Fix: Verify the hosts parameter in the Logstash configuration.

Error 3: Filebeat not shipping logs

Cause: Filebeat is not properly configured or not running.

Fix: Check the Filebeat configuration file for correctness and ensure that the service is running.

Error 4: Kibana cannot find any indices

Cause: No data has been indexed into Elasticsearch yet.

Fix: Make sure that data is being ingested into Elasticsearch and that the index pattern in Kibana matches the indexed data.

Related Services/Tools

Tool/Service Description
Grafana An open-source analytics and monitoring platform for visualizing time-series data.
Fluentd A data collector that helps unify data collection and consumption.
Splunk A commercial platform for searching, monitoring, and analyzing machine-generated big data.
Prometheus An open-source system monitoring and alerting toolkit, typically used for metrics rather than logs.

Automation Script

Here’s a simple Bash script to automate the setup of the ELK Stack using Docker:

#!/bin/bash

# Pull the ELK Stack images
docker pull elasticsearch:7.10.0
docker pull logstash:7.10.0
docker pull kibana:7.10.0

# Start Elasticsearch
docker run -d --name elasticsearch -p 9200:9200 -e "discovery.type=single-node" elasticsearch:7.10.0

# Start Logstash
docker run -d --name logstash -p 5044:5044 -v $PWD/logstash.conf:/usr/share/logstash/pipeline/logstash.conf logstash:7.10.0

# Start Kibana
docker run -d --name kibana -p 5601:5601 --link elasticsearch:elasticsearch kibana:7.10.0

echo "ELK Stack is up and running!"

Conclusion

In this tutorial, we explored how to set up a centralized logging system using the ELK Stack. By configuring Logstash to ingest logs, indexing them in Elasticsearch, and visualizing the data in Kibana, you can significantly enhance observability across your applications and infrastructure. This setup not only aids in troubleshooting and monitoring but also provides valuable insights into system performance and security.

For next steps, consider diving deeper into advanced features of the ELK Stack, such as machine learning capabilities and alerting. Explore the official documentation to expand your knowledge and expertise.

References