As more IT infrastructure shifts to cloud computing, the need for public cloud security tools and log analysis platforms is growing rapidly. Regardless of the size of the organization, a large amount of data is generated every day. Much of this data is made up of the company's Web server logs. Logs are one of the most important but often overlooked sources of information. Each log file contains valuable information, much of it unstructured and meaningless. Without a thorough analysis of this log data, an enterprise may overlook opportunities and threats around it. This is where log analysis tools can be very useful. ELK Stack or Elastic Stack is a complete log analysis solution that facilitates deep search, analysis, and visualization of logs generated by different machines. Through this tutorial, I'll provide you with some insights. First, let's list the topics to be discussed:

  • What is an ELK Stack?
  • ELK Stack architecture
  • ELK Stack installation
  • Elasticsearch tutorial
  • Logstash tutorial
  • Kibana tutorial

This tutorial will help you understand the basics of Elasticsearch, Logstash, and Kibana together and help you build a solid foundation in ELK Stack. First, let’s look at what an ELK Stack is.

What is an ELK Stack?

The ELK Stack, as it’s known, has recently been renamed Elastic Stack. It’s a powerful collection of three open source tools: Elasticsearch, Logstash, and Kibana. These three different products are most commonly used together for log analysis in different IT environments. Using the ELK Stack, you can perform centralized logging, which helps identify problems with your Web server or application. It enables you to search all logs in one place and identify problems across multiple servers by correlating logs from multiple servers within a specific time frame. Now let’s discuss these tools in detail.


Logstash is a data collection pipeline tool. It is the first component of the ELK Stack that collects data input and enters it into Elasticsearch. It can collect various types of data from different sources at once and make them available immediately for future use.


Elasticsearch is a NoSQL database built using RESTful apis based on the Lucene search engine. It is a highly flexible distributed search and analysis engine. In addition, it provides simple deployment, maximum reliability, and easy to manage functionality through horizontal scalability. It provides advanced queries to perform detailed analysis and centrally stores all data to quickly search documents.


Kibana is a data visualization tool. It is used to visualize Elasticsearch documents and help developers gain immediate insight into them. The Kibana dashboard provides a variety of interactive charts, geospatial data, timelines, and charts to visualize complex queries done using Elasticsearch. With Kibana, you can create and save custom graphics based on your specific needs. The next section discusses the ELK Stack architecture and the flow of data within it.

ELK Stack architecture

Here is the architecture of the ELK Stack, showing the correct order of log flows in the ELK. Here, Logstash collects and processes logs generated from a variety of sources based on the filtering criteria provided. The Logstash then pipes these logs to Elasticsearch, which then analyzes and searches the data. Finally, with Kibana, logs can be visualized and managed on demand.

ELK Stack installation

** Step I: ** openwww.elastic.co/downloads.** Step II: select and download Elasticsearch. ** Step III: ** Select and download Kibana. ** Step IV: ** Select and download Logstash. ** Step V: ** Unzip all three files to get the files for the corresponding folder.

Install the Elasticsearch

Step VI: ** Now openElasticsearch folderAnd go to theBin folder. ** Double-click the ElasticSearch. bat file to start the ElasticSearch server.** Step VIII: ** Wait for the ElasticSearch server to start. ** Step IX: ** To check that the server is started, go to your browser and typelocalhost:9200.

Install Kibana

** Step X: ** now openKibana folderAnd go to theBin folder. ** Step XI: ** Double-click the Kibana. Bat file to start the Kibana server.** Step XII: ** Wait for the Kibana server to start. ** Step XIII: ** To check that the server is started, go to your browser and typelocalhost:5601.

Install the Logstash

** Step XIV: ** Now open the logstash folder. Step XV: To test your Logstash installation, open a command prompt and go to the Logstash folder. Now enter:

binlogstash -e 'input { stdin { } } output { stdout {} }'


** Step XVI: ** Wait until “Pipeline main Started” appears at the command prompt.** Step XVII: ** Now, Enter a message at the command prompt, and press Enter. ** Step XVIII: **Logstash appends the timestamp and IP address information to the message and displays it at the command prompt. Now that we’re done with the installation, let’s take a closer look at these tools. Let’s start with Elasticsearch.


As mentioned earlier, Elasticsearch is a highly extensible search engine that runs on top of the Java-based Lucene engine. It is basically a NoSQL database. This means that it will store the data in an unstructured format and cannot execute SQL queries against any type of transaction. In other words, it stores data in documents rather than tables and schemas. For a better picture, check out the table below, which shows what is in Elasticsearch compared to the database.Now let’s get familiar with the basic concepts of Elasticsearch. There are three main steps to follow when using Elasticsearch:

  1. The index
  2. mapping
  3. search

Let’s talk in detail one by one.

The index

Indexing is the process of adding data Elasticsearch. It is called “index” because when data is entered into Elasticsearch, it is placed into the Apache Lucene index. Elasticsearch then uses these Lucene indexes to store and retrieve data. Indexing is similar to the creation and update process for CRUD operations. The index scheme consists of name/type/ID, where name and type are required fields. If you do not provide any ID, Elasticsearch will provide one of its own. The entire query is then appended to the HTTP PUT request, resulting in the following URL: PUT Name /type/ ID Along with the HTTP payload, a JSON document containing fields and values is also sent. Here is an example of creating a DOCUMENT for a U.S. customer, with details in the document and its fields.

PUT /customer/US/1 
    "ID": 101,
    "FName": "James",
    "LName": "Butt",
    "Email": "jbutt@gmail.com",
    "City": "New Orleans",
    "Type": "VIP"


It will give you the following output:It shows that the document has been created and added to the index. Now, if you try to change the field details without changing the identity, Elasticsearch overwrites the existing document with the current details.

PUT /customer/US/1
    "ID": 101,
    "FName": "James",
    "LName": "Butt",
    "Email": "jbutt@yahoo.com",
    "City": "Los Angeles",
    "Type": "VVIP"


It shows that the document has been updated with new details of the index.


Mapping is the process of setting the index schema. By mapping, you can tell Elasticsearch the data type of the attribute in your schema. Elasticsearch dynamically adds generic types to this field if there is no mapping for a particular object at pre-index time. But these generic types are very basic and most of the time do not meet the expectations of the query. Now let’s try mapping the query.

PUT /customer/
    "mappings": {
        "US": {
            "properties": {
                "ID": {
                    "type": "long"
                "FName": {
                    "type": "text"
                "LName": {
                    "type": "text"
                "Email": {
                    "type": "text"
                "City": {
                    "type": "text"
                "Type": {
                    "type": "text"


When you execute the query, you get this type of output.


Generic search queries with specific indexes and types are as follows:

POST index/type/_search


Now, let’s try to search for all the customer details that exist in the “Customer” index.

POST /customer/US/_search


When you execute this query, the following results are generated:However, when you want to search for specific results, Elasticsearch provides three methods:

Using a query

With queries, you can search for specific documents or entries. For example, let’s perform a search query on a customer in the “VVIP” category.

POST /customer/US/_search
    "query": {
        "match": {
            "Type": "VVIP"


Use filters

Using filters, you can further narrow your search. Here is an example of searching for a VVIP customer with ID “101” :

POST /customer/_search
    "query": {
        "match": {
            "Type": "VVIP"
    "post_filter": {
        "match": {
            "ID": 101


If you execute this query, you get the following results:

Use the aggregation

Aggregation is a framework that helps aggregate data through search queries. Small aggregations can be combined to build complex summaries of the data provided. Let’s perform a simple summary to check how many types of customers are in the index:

POST /customer/_search
    "size": 0,
    "aggs": {
        "Cust_Types": {
            "terms": {
                "field": "Type.keyword"


Now let’s look at how to retrieve the data set from the index.

To get the data

To check the list of documents contained in the index, you simply send an HTTP GET request in the following format:

GET index/type/id


Let’s try to retrieve the details of the customer whose “ID” equals 2:

GET /customer/US/2


Upon successful execution, it will give you the following types of results.With Elasticsearch, you can not only browse data, but also delete or delete documents.

Delete the data

Using the delete convention, you can easily remove unwanted data from indexes and free up memory space. To DELETE any document, you need to send an HTTP DELETE request in the following format:

DELETE index/type/id.


Now let’s try to remove the details of the customer with ID 2.

DELETE /customer/US/2


When you execute this query, you get the following types of results.So far, we’ve covered the basics of CRUD operations with Elasticsearch, which will help you perform different types of searches. Now let’s start learning about the next tool for the ELK Stack, Logstash.


As I’ve already discussed, Logstash is a plumbing tool that is typically used to collect and forward logs or events. It is an open source data collection engine that dynamically integrates data from a variety of sources and standardizes it to a specified target location.With multiple input, filter, and output plug-ins, Logstash makes it easy to transform events. At a minimum, Logstash requires input and output plug-ins specified in its configuration file to perform the transformation. Here is the structure of the Logstash configuration file:

input {

filter {

output {


As you can see, the entire configuration file is divided into three sections, each containing configuration options for one or more plug-ins. The three parts are:

  1. Input (input)
  2. Filter
  3. Output = output

You can also apply multiple filters in a configuration file. In this case, the application order will be the same as the specification order in the configuration file. Now let’s try to configure the US customer dataset file in CSV file format.

file { path => "E:/ELK/data/US_Customer_List.csv" start_position => "beginning" sincedb_path => "/dev/null" } } filter {  csv { separator => "," columns => ["Cust_ID", "Cust_Fname", "Cust_Lname", "Cust_Email", "Cust_City", "Cust_Type"] } mutate { convert => ["Cust_ID", "integer"] } } output { elasticsearch { hosts => "localhost" index => "customers" document_type => "US_Based_Cust" } stdout {} }Copy the code

To insert this CSV file data into ElasticSearch, you must notify the Logstash server. To do this, perform the following steps:

  1. Open a command prompt
  2. Go to the bin directory of the Logstash directory
  3. Enter: logstash -f X:/foldername/config_filename.config then press Enter. Once your Logstash server is up and running, it will start transferring data from files to Elasticsearch.

To check that the data was inserted successfully, go to the Sense plug-in and type:GET /customers/It gives you the number of documents that have been created. Now, if you want to visualize this data, you must use the last tool of the ELK Stack, Kibana. So in the next part of this tutorial, I’ll discuss Kibana and how it can be used to visualize your data.


As mentioned earlier, Kibana is an open source visualization and analysis tool. It helps to visualize the data that the Logstash pipe transfers and stores in Elasticsearch. You can use Kibana to search, view and interact with this stored data, and then visualize it in various charts, tables, and maps. Kibana’s browser-based interface simplifies massive amounts of data and reflects real-time changes in Elasticsearch queries. In addition, you can easily create, customize, save, and share dashboards. Once you understand how to work with Elasticsearch and Logstash, learning Kibana is no big deal. In this part of the tutorial, I’ll walk you through the various capabilities you need to analyze your data.

Administration page

Here, you must perform the Kibana runtime configuration. On this page, you need to specify some search content. See the following example where I have configured the entry for the “Customer” index.As you can see, in the Index Patterns field, you need to specify the Index to use. Make sure you select **@timestamp** in the Time Filter field Name. You can then go ahead and click Create to create the index. If the index is created successfully, you will see the following page types:Here, you can select different filters from the drop-down list as needed. In addition, to free up memory, you can drop specific indexes.

Find the page

From the Discover page, you can access the documents that exist in every index that matches the selected index pattern. You can easily interact with and browse all the data that exists on the Kibana server. In addition, you can view the data that exists in the document and perform search queries on it. As you can see below, I’m searching for “VIP” customers from “Los Angeles”.So, as you can see, we only have one VIP client from Los Angeles.

Visual page

  visualizationThe page allows you to visualize data displayed in the Elasticsearch index as charts, bar charts, pie charts, and more. You can even build dashboards here that display relevant visualizations based on Elasticsearch queries. Typically, a series of Elasticsearch aggregate queries are used to extract and process the data. When you go to the Visualization page and search for the saved visualization, or you can create a new one.You can summarize data in any form. For the user’s convenience, different types of visualization options are provided.Let me show you how to visualize US customer data by user type.To perform the visualization, follow these steps:

  1. Select the visual type. [I’m using a pie chart here]
  2. In the summary field, select Term from the drop-down list.
  3. In Field, select the type of field you want to perform the search on.
  4. You can also specify the order and size of the visualization.
  5. Now click the Execute button to generate the pie chart.

Dashboard page

The Dashboard page displays a collection of saved visualizations. Here, you can add new visualizations or use any saved visualizations.

Timelion page

Timelion is a time series data visualization tool that integrates completely independent data sources into one interface. It is driven by a single-line presentation language that can be used to retrieve time series data, perform calculations to simplify complex problems, and visualize results.

Development tools page

Kibana’s “Development Tools” page contains development tools such as the “Beta Sense” plug-in for interacting with data that exists in Elasticsearch. It is often referred to as the Kibana console. Here is an example where I use Kibana’s Sense plugin to search customers’ index of type US_based_cust:That’s the end of this article. Now you can perform a variety of searches and analyses on any data using Logstash, Elasticsearch, and Kibana.