Architecture Summary
Security Group Requirements (ELK Server)
Configure inbound rules on the ELK Server Security Group as follows:
| Port | Service | Source | Purpose |
|---|
9200 | Elasticsearch | ELK server itself or restricted admin IP | API access / testing |
5044 | Logstash (Beats input) | 172.31.10.0/24 or App Server Private IP | Receive logs from Filebeat |
5601 | Kibana | Your public IP only | Web dashboard access |
1. ELK SERVER SETUP
Run all commands on the ELK Server (3.100.10.10)
1. Add Elastic APT Repository
1
2
3
4
5
| sudo apt update -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | \
sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update -y
|
2.1 Install Elasticsearch
1
| sudo apt install elasticsearch -y
|
1
| sudo nano /etc/elasticsearch/elasticsearch.yml
|
Modify or add:
1
2
3
4
| cluster.name: elk-cluster
node.name: elk-node-1
network.host: 0.0.0.0
discovery.type: single-node
|
2.3 Start and Enable Elasticsearch
1
2
3
4
| sudo systemctl daemon-reload
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
sudo systemctl status elasticsearch
|
2.4 Verify Elasticsearch
1
| curl http://localhost:9200
|
From external machine (optional test):
1
| curl http://3.100.10.10:9200
|
3.1 Install Logstash
1
| sudo apt install logstash -y
|
3.2 Create Logstash Pipeline
1
| sudo nano /etc/logstash/conf.d/logstash.conf
|
Add:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| input {
beats {
port => 5044
}
}
filter {
if [message] {
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:log_timestamp} %{LOGLEVEL:log_level} %{GREEDYDATA:log_message}"
}
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "python-logs-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
|
3.3 Test Logstash Configuration
1
| sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
|
3.4 Start and Enable Logstash
1
2
3
| sudo systemctl start logstash
sudo systemctl enable logstash
sudo systemctl status logstash
|
3.5 Open Port 5044 (If UFW Enabled)
1
| sudo ufw allow 5044/tcp
|
4.1 Install Kibana
1
| sudo apt install kibana -y
|
1
| sudo nano /etc/kibana/kibana.yml
|
Modify:
1
2
| server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
|
4.3 Start and Enable Kibana
1
2
3
| sudo systemctl start kibana
sudo systemctl enable kibana
sudo systemctl status kibana
|
4.4 Open Kibana Port
1
| sudo ufw allow 5601/tcp
|
4.5 Access Kibana
Open in browser:
1
| http://3.100.10.10:5601
|
5. APPLICATION SERVER SETUP (Filebeat)
Run on Python Application Server (3.101.20.20)
5.1 Add Elastic Repository
1
2
3
4
5
| sudo apt update -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | \
sudo tee /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update -y
|
5.2 Install Filebeat
1
| sudo apt install filebeat -y
|
1
| sudo nano /etc/filebeat/filebeat.yml
|
Modify:
1
2
3
4
5
6
7
8
| filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/python-app/app.log
output.logstash:
hosts: ["172.31.10.10:5044"]
|
Important:
Use ELK Server Private IP (172.31.10.10) for better security inside VPC.
5.4 Test Filebeat Connection
1
| sudo filebeat test output
|
5.5 Start and Enable Filebeat
1
2
3
| sudo systemctl start filebeat
sudo systemctl enable filebeat
sudo systemctl status filebeat
|
6. Verification
Check Elasticsearch Indices
Run on ELK server:
1
| curl http://localhost:9200/_cat/indices?v
|
You should see:
Check Logstash Listening Port
1
| sudo ss -plnt | grep 5044
|
Check Kibana Port
1
| sudo ss -plnt | grep 5601
|
Required Configuration Files
Elasticsearch /etc/elasticsearch/elasticsearch.yml
Logstash /etc/logstash/conf.d/logstash.conf
Kibana /etc/kibana/kibana.yml
Filebeat /etc/filebeat/filebeat.yml
