{"id":10218,"date":"2021-08-28T23:43:30","date_gmt":"2021-08-28T20:43:30","guid":{"rendered":"https:\/\/kifarunix.com\/?p=10218"},"modified":"2024-03-18T18:34:40","modified_gmt":"2024-03-18T15:34:40","slug":"install-elk-stack-on-debian-11","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-elk-stack-on-debian-11\/","title":{"rendered":"Install ELK Stack on Debian 11"},"content":{"rendered":"\n<p>Welcome to our guide on how to install ELK Stack on Debian 11.&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.elastic.co\/what-is\/elk-stack\" target=\"_blank\">ELK<\/a>, currently known as Elastic Stack, is the acronym for open source projects comprising;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Elasticsearch<\/strong>: a search and analytics engine<\/li>\n\n\n\n<li><strong>Kibana<\/strong>: a data visualization and dash-boarding tool that enables you to analyze data stored on Elasticsearch.<\/li>\n\n\n\n<li><strong>Logstash<\/strong>: a server\u2011side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then stashes it on search analytics engine like Elasticsearch<\/li>\n\n\n\n<li><strong>Beats<\/strong>&nbsp;on the other hand are the log shippers that collects logs from different endpoints and sends them to either Logstash or directly to Elasticsearch.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Installing ELK Stack on Debian 11<\/h2>\n\n\n\n<p>Installation of Elastic Stack follows a specific order. Below is the order of installing Elastic Stack components;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Elasticsearch<\/li>\n\n\n\n<li>Install Kibana<\/li>\n\n\n\n<li>Install Logstash<\/li>\n\n\n\n<li>Install Beats<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Run system update<\/h3>\n\n\n\n<p>Before you can start the installation, ensure that the system packages are up-to-date.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and Configure Elasticsearch on Debian 11<\/h3>\n\n\n\n<p>You can install Elasticsearch automatically from Elastic repos or you can download Elasticsearch DEB binary package and install it. However, to simplify the installation of all Elastic Stack components, we will create Elastic Stack repos;<\/p>\n\n\n\n<p>Import the Elastic stack PGP repository signing Key<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install curl gnupg2 -y<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl -sL https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | gpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/elastic.gpg<\/code><\/pre>\n\n\n\n<p>Install Elasticsearch;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"deb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main\" | tee \/etc\/apt\/sources.list.d\/elastic-7.x.list<\/code><\/pre>\n\n\n\n<p>Update package cache and install Elasticsearch;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt update<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install elasticsearch<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Elasticsearch on Debian 11<\/h4>\n\n\n\n<p>There are only a few configuration changes we are going to make on this tutorial. First off, we configure ES to listen on a specific Interface IP to allow external access. Elasticsearch is listening on&nbsp;<strong>localhost<\/strong>&nbsp;by default.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Elasticsearch Cluster Name<\/h4>\n\n\n\n<p>You can choose to change the default cluster name;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/cluster.name:\/s\/#\/\/;s\/my-application\/kifarunix-demo\/' \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Update the Network Settings<\/h4>\n\n\n\n<p>Define an address on which to expose Elasticsearch node on the network. By default Elasticsearch is only accessible on localhost.<\/p>\n\n\n\n<p>Replace the IP address, <meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\"><strong><code>192.168.58.25<\/code><\/strong>, accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\">sed -i '\/<meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\">network.host:\/s\/#\/\/;s\/<meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\">192.168.0.1\/<meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\">192.168.58.25\/' \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<p>Define a specific Elasticsearch HTTP port. <\/p>\n\n\n\n<p>By default Elasticsearch listens for HTTP traffic on the first free port it finds starting at 9200.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\">sed -i '\/http.port:\/s\/#\/\/' \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Cluster Discovery Settings<\/h4>\n\n\n\n<p>When you set the network.host to an IP address, Elasticsearch expects to be in a cluster.<\/p>\n\n\n\n<p>But since we are running a single node Elasticsearch in our setup, you need to specify the same in the configuration by adding the line,&nbsp;<strong><code>discovery.type: single-node<\/code><\/strong>&nbsp;on Elasticsearch configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo '<meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\"><strong>discovery.type: single-node<\/strong>' &gt;&gt; <meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\">\/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/master\/setup-configuration-memory.html\" target=\"_blank\" rel=\"noreferrer noopener\">Disable Swapping<\/a><\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/bootstrap.memory_lock:\/s\/^#\/\/' \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Configure JVM Settings<\/h4>\n\n\n\n<p>Next, configure JVM heap size to no more than half the size of your memory. In this case, our test server has 2G RAM and the heap size is set to 512M for both maximum and minimum sizes.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/4g\/s\/^## \/\/;s\/4g\/512m\/' \/etc\/elasticsearch\/jvm.options<\/code><\/pre>\n\n\n\n<p>Those are just about the few changes we would make on ES.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Running Elasticsearch<\/h4>\n\n\n\n<p>Start and enable Elasticsearch to run on system boot;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now elasticsearch<\/code><\/pre>\n\n\n\n<p>To check the status;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status elasticsearch<\/code><\/pre>\n\n\n\n<p>You can as well verify ES status using curl command. Replace the IP accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl http:\/\/IP-Address:9200<\/code><\/pre>\n\n\n\n<p>If you get such an output, then all is well.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>{\n  \"name\" : \"debian11\",\n  \"cluster_name\" : \"kifarunix-demo\",\n  \"cluster_uuid\" : \"HBhGJdjbTAWXkSZ5rm2bwQ\",\n  \"version\" : {\n    \"number\" : \"7.14.0\",\n    \"build_flavor\" : \"default\",\n    \"build_type\" : \"deb\",\n    \"build_hash\" : \"dd5a0a2acaa2045ff9624f3729fc8a6f40835aa1\",\n    \"build_date\" : \"2021-07-29T20:49:32.864135063Z\",\n    \"build_snapshot\" : false,\n    \"lucene_version\" : \"8.9.0\",\n    \"minimum_wire_compatibility_version\" : \"6.8.0\",\n    \"minimum_index_compatibility_version\" : \"6.0.0-beta1\"\n  },\n  \"tagline\" : \"You Know, for Search\"\n}\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Install Kibana on Debian 11<\/h3>\n\n\n\n<p>Since we already setup Elastic repos, simply install Kibana by running the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install kibana<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring Kibana<\/h3>\n\n\n\n<p>Kibana is set to run on&nbsp;<strong>localhost:5601<\/strong>&nbsp;by default.<\/p>\n\n\n\n<p>To allow external access, edit the configuration file and replace the value of&nbsp;<code>server.host<\/code>&nbsp;with an interface IP.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/server.port:\/s\/^#\/\/' \/etc\/kibana\/kibana.yml <\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/server.host:\/s\/^#\/\/;s\/localhost\/192.168.58.25\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<p>Set the Elasticsearch URL. In this setup, Elasticsearch is listening on 192.168.58.25:9200. Hence, replace the address accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/elasticsearch.hosts:\/s\/^#\/\/;s\/localhost\/192.168.58.25\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<p>If you need to secure Kibana by proxying it with Nginx, you can check how to on our previous by following the link below;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-elastic-stack-7-on-ubuntu-18-04-debian-9-8\/#proxykibanawithnginx\" target=\"_blank\">Configure Nginx with SSL to Proxy Kibana<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Running Kibana<\/h4>\n\n\n\n<p>Once the installation is done, start and enable Kibana to run on system boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now kibana<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Access Kibana Dashboard<\/h4>\n\n\n\n<p>You can now access Kibana from your browser using the url,&nbsp;<code>http:\/\/&lt;server-IP&gt;:5601<\/code>.<\/p>\n\n\n\n<p>If UFW is running, Open Kibana port;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ufw allow 5601\/tcp<\/code><\/pre>\n\n\n\n<p>Upon accessing Kibana interface, on the welcome page, you are prompted on whether to get started with Kibana sample data. Since we do not have any data in our cluster yet, just click <strong>Explore on my own<\/strong>. and proceed to Kibana interface.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1895\" height=\"813\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/kibana-home.png\" alt=\"\" class=\"wp-image-10248\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/kibana-home.png?v=1630182111 1895w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/kibana-home-768x329.png?v=1630182111 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/kibana-home-1536x659.png?v=1630182111 1536w\" sizes=\"(max-width: 1895px) 100vw, 1895px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Install Logstash on Debian 11<\/h3>\n\n\n\n<p>Logstash is optional. However, if you want to install, simply run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install logstash<\/code><\/pre>\n\n\n\n<p>Once the installation is done, configure Logstash to process any data to be collected from the remote hosts. Follow the link below to learn how to configure Logstash.<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-configure-logstash-7-on-ubuntu-18-debian-9-8\/#configurelogstash\" target=\"_blank\">How to Configure Logstash data processing pipeline<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-filebeat-ubuntu-20.04\">Install Filebeat on Debian 11<\/h3>\n\n\n\n<p>Filebeat is a lightweight shipper for collecting, forwarding and centralizing event log data.<\/p>\n\n\n\n<p>It is installed as an agent on the servers you are collecting logs from. It can forward the logs it is collecting to either Elasticsearch or Logstash for indexing.<\/p>\n\n\n\n<p>To install Filebeat from Elastic repos;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt install filebeat<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Filebeat to Collect System Logs<\/h3>\n\n\n\n<p>Once the installation is done, you can configure Filebeat to collect various logs.<\/p>\n\n\n\n<p>In this setup, Filebeat is installed on Elastic node.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Filebeat Modules<\/h3>\n\n\n\n<p>Filebeat modules simplify the collection, parsing, and visualization of common log formats.<\/p>\n\n\n\n<p>Modules are disabled by default;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat modules list<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Enabled:\n\nDisabled:\nactivemq\napache\nauditd\naws\nawsfargate\nazure\nbarracuda\nbluecoat\ncef\ncheckpoint\ncisco\ncoredns\ncrowdstrike\ncyberark\ncyberarkpas\ncylance\nelasticsearch\nenvoyproxy\nf5\nfortinet\ngcp\ngoogle_workspace\ngooglecloud\ngsuite\nhaproxy\nibmmq\nicinga\niis\nimperva\ninfoblox\niptables\njuniper\nkafka\nkibana\nlogstash\nmicrosoft\nmisp\nmongodb\nmssql\nmysql\nmysqlenterprise\nnats\nnetflow\nnetscout\nnginx\no365\nokta\noracle\nosquery\npanw\npensando\npostgresql\nproofpoint\nrabbitmq\nradware\nredis\nsanta\nsnort\nsnyk\nsonicwall\nsophos\nsquid\nsuricata\nsystem\nthreatintel\ntomcat\ntraefik\nzeek\nzookeeper\nzoom\nzscaler\n<\/code><\/pre>\n\n\n\n<p>The modules configuration files reside on <code><strong>\/etc\/filebeat\/modules.d\/<\/strong><\/code> directory.<\/p>\n\n\n\n<p>Disabled modules have <strong><code>.disabled<\/code><\/strong> suffixed on their configuration files.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls \/etc\/filebeat\/modules.d\/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>activemq.yml.disabled\t crowdstrike.yml.disabled\thaproxy.yml.disabled\tmisp.yml.disabled\t      osquery.yml.disabled     sophos.yml.disabled\napache.yml.disabled\t cyberarkpas.yml.disabled\tibmmq.yml.disabled\tmongodb.yml.disabled\t      panw.yml.disabled        squid.yml.disabled\nauditd.yml.disabled\t cyberark.yml.disabled\t\ticinga.yml.disabled\tmssql.yml.disabled\t      pensando.yml.disabled    suricata.yml.disabled\nawsfargate.yml.disabled  cylance.yml.disabled\t\tiis.yml.disabled\tmysqlenterprise.yml.disabled  postgresql.yml.disabled  system.yml.disabled\naws.yml.disabled\t elasticsearch.yml.disabled\timperva.yml.disabled\tmysql.yml.disabled\t      proofpoint.yml.disabled  threatintel.yml.disabled\nazure.yml.disabled\t envoyproxy.yml.disabled\tinfoblox.yml.disabled\tnats.yml.disabled\t      rabbitmq.yml.disabled    tomcat.yml.disabled\nbarracuda.yml.disabled\t f5.yml.disabled\t\tiptables.yml.disabled\tnetflow.yml.disabled\t      radware.yml.disabled     traefik.yml.disabled\nbluecoat.yml.disabled\t fortinet.yml.disabled\t\tjuniper.yml.disabled\tnetscout.yml.disabled\t      redis.yml.disabled       zeek.yml.disabled\ncef.yml.disabled\t gcp.yml.disabled\t\tkafka.yml.disabled\tnginx.yml.disabled\t      santa.yml.disabled       zookeeper.yml.disabled\ncheckpoint.yml.disabled  googlecloud.yml.disabled\tkibana.yml.disabled\to365.yml.disabled\t      snort.yml.disabled       zoom.yml.disabled\ncisco.yml.disabled\t google_workspace.yml.disabled\tlogstash.yml.disabled\tokta.yml.disabled\t      snyk.yml.disabled        zscaler.yml.disabled\ncoredns.yml.disabled\t gsuite.yml.disabled\t\tmicrosoft.yml.disabled\toracle.yml.disabled\t      sonicwall.yml.disabled\n<\/code><\/pre>\n\n\n\n<p>To enable a module, use the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat modules enable name-of-module<\/code><\/pre>\n\n\n\n<p>For the purposes of simplicity, we have configured Filebeat to collect syslog and authentication logs via the Filebeat system module.<\/p>\n\n\n\n<p>To enable system module, run the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat modules enable system<\/code><\/pre>\n\n\n\n<p>By default, this module collect system and auth events. See the default config contents.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/etc\/filebeat\/modules.d\/system.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># Module: system\n# Docs: https:\/\/www.elastic.co\/guide\/en\/beats\/filebeat\/7.x\/filebeat-module-system.html\n\n- module: system\n  # Syslog\n  syslog:\n    enabled: true\n\n    # Set custom paths for the log files. If left empty,\n    # Filebeat will choose the paths depending on your OS.\n    #var.paths:\n\n  # Authorization logs\n  auth:\n    enabled: true\n\n    # Set custom paths for the log files. If left empty,\n    # Filebeat will choose the paths depending on your OS.\n    #var.paths\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure Filebeat Output<\/h3>\n\n\n\n<p>Filebeat can send the collected data to various outputs. We are using Elasticsearch in this case.<\/p>\n\n\n\n<p>You can update your output accordingly;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/filebeat\/filebeat.yml<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code># ---------------------------- Elasticsearch Output ----------------------------\n<strong>output.elasticsearch:<\/strong>\n  # Array of hosts to connect to.\n  <strong>hosts: &#91;\"192.168.58.25:9200\"]<\/strong><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Filebeat Logging<\/h3>\n\n\n\n<p>Add the lines below at the end of the configuration file to configure Filebeat to write logs to its own log file instead of writing to syslog log file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>logging.level: info\nlogging.to_files: true\nlogging.files:\n  path: \/var\/log\/filebeat\n  name: filebeat\n  keepfiles: 7\n  permissions: 0644<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Filebeat Test Config<\/h3>\n\n\n\n<p>To test the configuration settings, run the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat test config<\/code><\/pre>\n\n\n\n<p>You should get the output,<strong>Config OK<\/strong>, if there is no issue.<\/p>\n\n\n\n<p>Filebeat Test Output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat test output<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>elasticsearch: http:\/\/192.168.58.25:9200...\n  parse url... OK\n  connection...\n    parse host... OK\n    dns lookup... OK\n    addresses: 192.168.58.25\n    dial up... OK\n  TLS... WARN secure connection disabled\n  talk to server... OK\n  version: 7.14.0\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Load Filebeat Default Dashboards to Kibana<\/h3>\n\n\n\n<p>Load sample dashboards to Kibana. Replace the addresses accordingly<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>filebeat setup -e -E output.elasticsearch.hosts=&#91;'192.168.58.25:9200'] -E setup.kibana.host=192.168.58.25:5601<\/code><\/pre>\n\n\n\n<p>You can read more on <a href=\"https:\/\/www.elastic.co\/guide\/en\/beats\/filebeat\/current\/load-kibana-dashboards.html\" target=\"_blank\" rel=\"noreferrer noopener\">loading Kibana dashboards<\/a>.<\/p>\n\n\n\n<p>Restart Filebeat;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart filebeat<\/code><\/pre>\n\n\n\n<p>Ensure that connection is Established with the output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/filebeat\/filebeat<\/code><\/pre>\n\n\n\n<p>Look for a line:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Connection to backoff(elasticsearch(http:\/\/192.168.58.25:9200)) established<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify Elasticsearch Index Data Reception<\/h3>\n\n\n\n<p>Once you have configured Filebeat to ship logs to Elasticsearch you can verify is any data has been written to the index defined.<\/p>\n\n\n\n<p>For example, By default, Filebeat creates an index, filebeat-%{BEATS_VERSION}-*..<\/p>\n\n\n\n<p>This can be verified by querying status of ES indices. Replace <strong>ES_IP<\/strong> with Elasticsearch IP address.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>curl -XGET http:\/\/ES_IP:9200\/_cat\/indices?v<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>health status index                             uuid                   pri rep docs.count docs.deleted store.size pri.store.size\ngreen  open   .geoip_databases                  TPscSzZvTzuoaJLvdiWlGA   1   0         42            0     40.8mb         40.8mb\ngreen  open   .kibana-event-log-7.14.0-000001   WdyhZsMdTki0hvFD26Ak2g   1   0          1            0      5.6kb          5.6kb\ngreen  open   .kibana_7.14.0_001                w7Z8x3fNStu-L7Nwvfz0zw   1   0         20            9      2.1mb          2.1mb\ngreen  open   .apm-custom-link                  exbd7_fXRO22JaVY-0L1HQ   1   0          0            0       208b           208b\n<strong>yellow open   filebeat-7.14.0-2021.08.28-000001 m4YpQ3_FTQ-PvhJdfKU6mQ   1   1      15982            0      2.9mb          2.9mb<\/strong>\ngreen  open   .apm-agent-configuration          _g73JKNBTfW2yE8qdf37Ag   1   0          0            0       208b           208b\ngreen  open   .kibana_task_manager_7.14.0_001   QzhwGQMYR9Gz_STeurQkaw   1   0         14         8301      996kb          996kb\n\n<\/code><\/pre>\n\n\n\n<p>From the output, you can see that our filebeat-7.14.0-*  index has data. For health color status, read more on&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/cluster-health.html\" target=\"_blank\">Cluster Health API<\/a>.<\/p>\n\n\n\n<p>You can also check on Kibana UI (<meta http-equiv=\"content-type\" content=\"text\/html; charset=utf-8\"><strong>Management tab (on the left side panel) &gt; Stack Management &gt; Data &gt; Index Management &gt; Indices<\/strong>)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1897\" height=\"560\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-management.png\" alt=\"\" class=\"wp-image-10249\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-management.png?v=1630182150 1897w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-management-768x227.png?v=1630182150 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-management-1536x453.png?v=1630182150 1536w\" sizes=\"(max-width: 1897px) 100vw, 1897px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Create Kibana Index Patterns<\/h3>\n\n\n\n<p>To visualize your data,  you need to create the Kibana index pattern.<\/p>\n\n\n\n<p>Click on&nbsp;<strong>Management tab (on the left side panel) &gt; Stack Management &gt; Kibana&gt; Index Patterns &gt; Create Index Pattern<\/strong>.<\/p>\n\n\n\n<p>Enter the wildcard for your index name.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1901\" height=\"773\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-pattern.png\" alt=\"\" class=\"wp-image-10250\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-pattern.png?v=1630182176 1901w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-pattern-768x312.png?v=1630182176 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-pattern-1536x625.png?v=1630182176 1536w\" sizes=\"(max-width: 1901px) 100vw, 1901px\" \/><\/figure>\n\n\n\n<p>Click Next and select timestamp as the time filter.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1913\" height=\"608\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-timestamp.png\" alt=\"\" class=\"wp-image-10251\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-timestamp.png?v=1630182201 1913w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-timestamp-768x244.png?v=1630182201 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/index-timestamp-1536x488.png?v=1630182201 1536w\" sizes=\"(max-width: 1913px) 100vw, 1913px\" \/><\/figure>\n\n\n\n<p>Then click&nbsp;<strong>Create Index pattern<\/strong>&nbsp;to create your index pattern.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">View Data on Kibana<\/h4>\n\n\n\n<p>Once that is done, you can now view your event data on Kibana by clicking on the <strong>Discover<\/strong> tab on the left pane.<\/p>\n\n\n\n<p>Expand your time range accordingly.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1912\" height=\"884\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/events.png\" alt=\"\" class=\"wp-image-10252\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/events.png?v=1630183167 1912w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/events-768x355.png?v=1630183167 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/events-1536x710.png?v=1630183167 1536w\" sizes=\"(max-width: 1912px) 100vw, 1912px\" \/><\/figure>\n\n\n\n<p>And there you go.<\/p>\n\n\n\n<p>Sample dashboards, at least for SSH\/syslog events;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1906\" height=\"866\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/sample-dashboards.png\" alt=\"\" class=\"wp-image-10253\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/sample-dashboards.png?v=1630183229 1906w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/sample-dashboards-768x349.png?v=1630183229 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/08\/sample-dashboards-1536x698.png?v=1630183229 1536w\" sizes=\"(max-width: 1906px) 100vw, 1906px\" \/><\/figure>\n\n\n\n<p>Reference<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/www.elastic.co\/guide\/en\/elastic-stack\/current\/installing-elastic-stack.html\" target=\"_blank\">Installing Elastic Stack<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/installing-elk-stack-on-centos-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Installing ELK Stack on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elastic-stack-7-on-fedora-30-fedora-29-centos-7\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Elastic Stack 7 on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elastic-stack-7-on-ubuntu-18-04-debian-9-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Elastic Stack 7 on Ubuntu 18.04\/Debian 9.8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-icinga-2-and-icinga-web-2-on-ubuntu-20-04\/\">Install Icinga 2 and Icinga Web 2 on Ubuntu 20.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our guide on how to install ELK Stack on Debian 11.&nbsp;ELK, currently known as Elastic Stack, is the acronym for open source projects<\/p>\n","protected":false},"author":1,"featured_media":9442,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,910,121],"tags":[3958,4032,964,1852,4033,4034,4035,4031,920],"class_list":["post-10218","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-elastic-stack","category-howtos","tag-debian-11","tag-debian-11-elk-stack","tag-elasticsearch","tag-elk-stack","tag-elk-stack-debian-11","tag-elk-stack-on-debian","tag-filebeat-debian-11","tag-install-elk-on-debian-11","tag-kibana","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10218"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=10218"}],"version-history":[{"count":3,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10218\/revisions"}],"predecessor-version":[{"id":21671,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/10218\/revisions\/21671"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/9442"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=10218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=10218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=10218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}