AWS Documentation

⌘K
  2. Home
  4. Docs
  6. AWS Documentation
  8. AWS ELK with Beats on Ubuntu 22.04

AWS ELK with Beats on Ubuntu 22.04

Elastic Stack

This AMI features:

  • Nginx 1.18
  • Elasticsearch 8.6
  • Logstash 8.6
  • Kibana 8.6
  • Beats
    • Filebeat 8.6
    • Metricbeat 8.6

Kibana

You can access the top page at https://xxx.xxx.xxx.xxx with a dummy certificate. Please wait 10 minutes after starting the instance until the initial configuration of elasticsearch and kibana is complete.

You can find the password from EC2 management console System Log.

  1. Go to Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. Chose your Instance and Click Actions → Instance Settings → Get System log

Get System log

You can also SSH into your instance and find the login credential using the following command.

$ cat /home/ubuntu/credentials 
////////////////////credentials info////////////////////
--- kibana-setup
----- Success
--- elasticsearch
----- User     : elastic
----- Password : EkocsTWTjA2Ye84FIhO7
////////////////////////////////////////////////////////

Welcome to Elastic

Start or stop Kibana

$ sudo systemctl start kibana
$ sudo systemctl stop kibana

Note

We installed certbot from snap packages, you can set up TLS/SSL certificates using Let’s Encrypt.

ex)

sudo certbot --nginx -d your-domain

Reference

Elasticsearch

Check Elasticsearch

$ sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200 
Enter host password for user 'elastic':
{
  "name" : "ip-172-31-63-217",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "Au9U2UBCRMCgrjH6mxzVSQ",
  "version" : {
    "number" : "8.6.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "2d58d0f136141f03239816a4e360a8d17b6d8f29",
    "build_date" : "2023-02-13T09:35:20.314882762Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Reset Password for user ‘elastic’

$ sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -s -b

Start or stop Elasticsearch

$ sudo systemctl start elasticsearch
$ sudo systemctl stop elasticsearch

Reference

Logstash

Logstash is already pre-installed.

Start

$ sudo systemctl start logstash

Stop

$ sudo systemctl stop logstash

Automatically boot run

$ sudo systemctl enable logstash

Reference

Beats

Filebeat and Metricbeat are pre-installed, If you want to install other beats, please check out the page below.

Reference

Install, automatically boot run, start

sudo apt update && sudo apt install ${beatname}=8.6.2
sudo systemctl enable ${beatname}
sudo systemctl start ${beatname}

ex.) Install packetbeat

sudo apt update && sudo apt install packetbeat=8.6.2
Tags , ,

How can we help?