This guide provides step-by-step instructions for installing and configuring the Elastic Stack (Elasticsearch, Logstash, and Kibana) on Ubuntu, with a specific focus on Veeam integration.
- Prerequisites
- Elasticsearch Installation
- Kibana Installation
- Logstash Installation
- Veeam Integration
- Troubleshooting
- Ubuntu Server (recommended: 20.04 LTS or newer)
- Sudo access
- At least 4GB RAM
- 10GB+ free disk space
- Import the Elasticsearch public GPG key:
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg- Install the apt-transport-https package:
sudo apt-get install apt-transport-https- Add the Elasticsearch repository:
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list- Update packages and install Elasticsearch:
sudo apt-get update && sudo apt-get install elasticsearch- Configure system service:
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service- Edit the Elasticsearch configuration file:
sudo vi /etc/elasticsearch/elasticsearch.yml- Make the following changes:
# Uncomment this line
node.name: node-1
# Change this to allow external connections
network.host: 0.0.0.0
# Configure discovery
discovery.seed_hosts: ["127.0.0.1"]
# Enable X-Pack security
xpack.security.enabled: true
# Configure initial master nodes
cluster.initial_master_nodes: ["node-1"]- Modify service timeout settings:
sudo nano /usr/lib/systemd/system/elasticsearch.service- Set the timeout to a higher value:
TimeoutStartSec=900
- Change log viewing permissions:
sudo chmod 755 -R /var/log/elasticsearch/- Start Elasticsearch:
sudo systemctl start elasticsearch.service- Set the Elastic password:
# The auto-generated elastic password is displayed during installation
# To reset/change the password, use:
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
- Export the password as an environment variable for convenience:
export ELASTIC_PASSWORD="your_new_password"- Verify the installation (with security enabled):
curl -X GET "https://localhost:9200/_cluster/health?pretty" -u elastic:$ELASTIC_PASSWORD --insecure
- Check available Kibana versions (ensure it matches your Elasticsearch version):
sudo apt list kibana -a- Install Kibana:
sudo apt install kibana- Configure Kibana:
sudo vi /etc/kibana/kibana.yml- Change the server host to allow external connections:
server.host: "0.0.0.0"
- Start and enable Kibana:
sudo systemctl daemon-reload
sudo systemctl enable kibana.service
sudo systemctl start kibana.service- Verify Kibana is running (it will be available on port 5601):
curl http://localhost:5601/status -ISince X-Pack security is enabled, you need to configure Kibana to connect securely:
- Generate an enrollment token for Kibana:
cd /usr/share/elasticsearch/bin
sudo ./elasticsearch-create-enrollment-token --scope kibana
-
Copy this token as you'll need it during Kibana's first start.
-
Start Kibana:
sudo systemctl start kibana.service- Check the Kibana logs to see the verification code prompt:
sudo tail -f /var/log/kibana/kibana.log- Generate a verification code:
cd /usr/share/kibana/bin
sudo ./kibana-verification-code- Copy the token and enter the verification code in the Kibana web interface (http://your_server_ip:5601).
7. Generate encryption keys for alerts:
cd /usr/share/kibana/bin
sudo ./kibana-encryption-keys generate
- Add the generated keys to your kibana.yml file:
sudo vi /etc/kibana/kibana.yml- Add the generated encryption keys at the end of the file:
xpack.encryptedSavedObjects.encryptionKey: "generated_encryption_key"
xpack.reporting.encryptionKey: "generated_reporting_key"
xpack.security.encryptionKey: "generated_security_key"- Restart Kibana to apply the changes:
sudo systemctl restart kibana.service- Install dependencies and Logstash:
sudo apt install openjdk-8-jre-headless
sudo apt update
sudo apt install logstash- Create a dedicated user for Logstash:
sudo useradd -r -g logstash logstash
sudo chown -R logstash:logstash /usr/share/logstash /var/log/logstashImporting Templates When importing, you must follow the correct order - component templates first, then index templates.
change directory into the Templates folder and run these commands
curl -X PUT "new-host:9200/_component_template/syslog-hardware" -H "Content-Type: application/json" -d @component-hardware.json curl -X PUT "new-host:9200/_component_template/syslog-security" -H "Content-Type: application/json" -d @component-security.json curl -X PUT "new-host:9200/_component_template/syslog-services" -H "Content-Type: application/json" -d @component-services.json curl -X PUT "new-host:9200/_component_template/syslog-settings" -H "Content-Type: application/json" -d @component-settings.json
curl -X PUT "new-host:9200/_index_template/syslog-template" -H "Content-Type: application/json" -d @syslog-template.json
Copy the logstash.conf file from the Template folder to /etc/logstash/conf.d
restart both elasticsearch and logstash
sudo systemcl restart logstash sudo systemctl restart elasticsearch
-
Elasticsearch fails to start
- Check logs:
sudo journalctl -u elasticsearch.service - Verify sufficient memory:
free -m - Check disk space:
df -h
- Check logs:
-
Kibana cannot connect to Elasticsearch
- Verify Elasticsearch is running:
curl http://localhost:9200 - Check network settings in kibana.yml
- Verify Elasticsearch is running:
-
Logstash parsing errors
- View Logstash logs:
sudo tail -f /var/log/logstash/logstash-plain.log - Test your grok patterns at Grok Debugger
- View Logstash logs: