High Available ELK Stack

High Available ELK Stack

Published: at 05:16 PM

Author: Telman Yusifov

Table of contents

Open Table of contents

0. Preparation

Objective

The primary goal of this project is to implement a high-availability ELK stack (Elasticsearch, Logstash, Kibana) to ensure uninterrupted access and reliable performance for log management and data analysis. The focus is on configuring the ELK stack to withstand node failures and maintain continuous service.

schema

Technologies Involved

Elasticsearch: A distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. It is the core of the Elastic Stack, which provides centralized logging and analytics.

Logstash: A server-side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch.

Kibana: A data visualization dashboard for Elasticsearch, providing insights and analytics into the data stored in Elasticsearch indices.

Filebeat: A lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them to Elasticsearch or Logstash for indexing.

1. Provisioning VMs

Name and Region/Zone

1

Machine Configuration

2

Firewall Rules

Boot Disk

3

VM Specifications

VM NameIP AddressInstance TypeStorageOperating SystemHostnameRam
node-110.128.0.2e2.standart-210GBUbuntu 22.04 LTSnode-18GB
node-210.128.0.3e2.standart-210GBUbuntu 22.04 LTSnode-28GB
node-310.128.0.4e2.standart-210GBUbuntu 22.04 LTSnode-38GB

Security Group/Firewall Configuration

Open the following ports for each VM:

2. Java Installation

Java is required for Elasticsearch to run. The steps below outline how to install Java on your VMs.

Update the Package List

sudo apt update

Install OpenJDK 11

sudo apt-get install default-jre

Verify the Installation

java -version

4

3. Elasticsearch

Elasticsearch is a distributed search and analytics engine capable of handling large volumes of data.

Installation

Adding the Elasticsearch GPG key and repository

sudo apt update

curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg

echo "deb [signed-by=/usr/share/keyrings/elastic.gpg]https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

Installing Elasticsearch

sudo apt-get update
sudo apt-get install elasticsearch -y

Configuration

Editing the Elasticsearch configuration file

sudo nano /etc/elasticsearch/elasticsearch.yml

Nano

cluster.name: high-a-elk
node.name: node-1
network.host: 0.0.0.0
http.port: 9200
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
discovery.seed_hosts: ["10.128.0.2", "10.128.0.3", "10.128.0.4"]
cluster.initial_master_nodes: ["node-1", "node-2", "node-3"]

Starting and enabling Elasticsearch

sudo systemctl daemon-reload
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

Checking the Status

sudo systemctl status elasticsearch

If Elasticsearch is running correctly, you should see something similar to this:

5

Elasticsearch should be running on port 9200. You can test it with cURL and a GET request.

curl -X GET "http://localhost:9200"

6

4. Logstash

Logstash: A data processing pipeline that collects and processes data from various sources and sends it to destinations like Elasticsearch.

Installation

Install Logstash

sudo apt install logstash -y

Configuration

Editing the Logstash configuration file

sudo nano /etc/logstash/conf.d/logstash.conf

Nano

input {
    beats {
        port => 5044
    }
}

output {
    elasticsearch {
        hosts => ["http://10.128.0.2:9200", "http://10.128.0.3:9200", "http://10.128.0.4:9200"]
        index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    }
}

Starting and enabling Logstash

sudo systemctl start logstash
sudo systemctl enable logstash

Checking the Status

sudo systemctl status logstash

If Elasticsearch is running correctly, you should see something similar to this:

7

5. Kibana

Kibana: A data visualization tool used for searching and visualizing data in Elasticsearch.

Dashboard: A collection of visualizations and searches.

Visualization: Graphical representations of data.

Index Pattern: Defines which indices Kibana should use.

Installation

Installing Kibana

sudo apt install kibana -y

Configuration

Editing the Kibana configuration file

sudo nano /etc/kibana/kibana.yml

Nano

server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://10.128.0.2:9200", "http://10.128.0.3:9200", "http://10.128.0.4:9200"]

Starting and enabling Kibana

sudo systemctl daemon-reload
sudo systemctl start kibana
sudo systemctl enable kibana

Checking the Status

sudo systemctl status kibana

If Elasticsearch is running correctly, you should see something similar to this:

8

6. Cluster Validation

Verify Cluster Health

To ensure that your ELK (Elasticsearch, Logstash, Kibana) stack is highly available and can tolerate the failure of one node, follow these steps to validate and test the setup.

curl -X GET 'http://localhost:9200/_cluster/health?pretty'

9

You should see a response indicating the cluster status. A healthy cluster will show "status" : "green" or "status" : "yellow" (yellow indicates some replicas are not allocated, but the cluster is functional).

Stopping One Elasticsearch Node

Next, stop the Elasticsearch service on one of the nodes to simulate a failure.

10

Verify Cluster Health After Stopping a Node

Check the cluster health again to see if the cluster is still operational.

11

The cluster health is currently “green,” which is good and indicates that the cluster is fully functional with no unassigned shards. However, it shows that there are only 2 nodes active instead of the expected 3.

7. Filebeat

Filebeat: A lightweight shipper for forwarding and centralizing log data. It monitors log files and sends log events to Logstash or Elasticsearch.

Installation

Installing Filebeat

sudo apt-get install filebeat

Configuration

Editing the Filebeat configuration file

sudo nano /etc/filebeat/filebeat.yml

Nano

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
    - /var/log/syslog

output.elasticsearch:
  hosts: ["http://10.128.0.2:9200", "http://10.128.0.3:9200", "http://10.128.0.4:9200"]
  protocol: "http"

Starting and enabling Filebeat

sudo systemctl enable filebeat
sudo systemctl start filebeat

Checking the status

sudo systemctl status filebeat

12

8. Final Testing

Creating a Test Log Entry

For testing I will create log entry with logger command. The logger command is a utility in Unix-like operating systems that allows you to add messages to the system log. It provides a simple way to create log entries that can be handled by the system’s logging infrastructure (e.g., syslog).

logger "Test log entry from Filebeat"

Creating Index Pattern

Open Kibana:

13

Creating index patterns in Kibana is essential for managing and querying the data stored in Elasticsearch indices.

Searching for the Test Log Entry

In the Kibana “Discover” section, use the following query to find your test log entry:

message:"Test log entry from Filebeat"

14

Conclusion

In this tutorial, you’ve learned how to install and configure the High Available Elastic Stack.