Cloud VPS Performance

Step‑by‑Step Guide to Deploy a Centralized ELK Stack for Log Management on a Linux VPS

By Devnix
June 1, 2026 4 Min Read
0


Step‑by‑Step Guide to Deploy a Centralized ELK Stack for Log Management on a Linux VPS

Modern applications generate a flood of logs that are crucial for troubleshooting, security audits, and performance tuning. Scattered log files across multiple services quickly become unreadable, and manual inspection is error‑prone. This tutorial shows you how to install and configure the ELK Stack (Elasticsearch, Logstash, Kibana) on a fresh Linux VPS, collect logs with Filebeat, and visualize them in real time.

Prerequisites

  • A clean Ubuntu 22.04 (or Debian‑based) VPS with root or sudo access.
  • Basic familiarity with Linux command line and package management.
  • Open ports 22 (SSH), 5601 (Kibana), 9200 (Elasticsearch) and 5044 (Logstash Beats input) allowed in your firewall.
  • At least 2 GB RAM – the ELK stack is memory‑hungry.

1. Provision a Reliable Cloud VPS

If you don’t already have a server, you can spin up a lightweight Cloud VPS with 1 vCPU, 2 GB RAM and SSD storage. The minimal cost and quick deployment make it perfect for a logging node.

2. Install Java (Prerequisite for Elasticsearch & Logstash)

Both Elasticsearch and Logstash require Java 11 or later.

sudo apt update
sudo apt install -y openjdk-11-jdk
java -version   # confirm the installation

3. Add the Elastic APT Repository

Elastic provides signed packages for Debian‑based systems.

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt install -y apt-transport-https
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | \
    sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update

4. Install Elasticsearch

Elasticsearch stores and indexes log data. We’ll configure it to listen only on localhost for security.

sudo apt install -y elasticsearch

# Edit the config
sudo nano /etc/elasticsearch/elasticsearch.yml

Set the following options (add if missing):

network.host: 127.0.0.1
http.port: 9200
discovery.type: single-node

Enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch

# Verify
curl -X GET "localhost:9200"

5. Install Logstash

Logstash will ingest raw log files, apply filters, and forward structured events to Elasticsearch.

sudo apt install -y logstash

Create a simple pipeline that reads from Beats (Filebeat) on port 5044.

sudo nano /etc/logstash/conf.d/01-beats-input.conf

input {
  beats {
    port => 5044
  }
}

Define a filter that parses common syslog format:

sudo nano /etc/logstash/conf.d/02-syslog-filter.conf

filter {
  if [fileset][module] == "system" {
    grok {
      match => { "message" => "%{SYSLOGBASE} %{GREEDYDATA:msg}" }
    }
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }
}

Finally, output to Elasticsearch:

sudo nano /etc/logstash/conf.d/03-elasticsearch-output.conf

output {
  elasticsearch {
    hosts => ["http://127.0.0.1:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  }
}

Start Logstash and enable it at boot:

sudo systemctl enable logstash
sudo systemctl start logstash

6. Install Kibana

Kibana provides a web UI to explore logs.

sudo apt install -y kibana

# Configure Kibana to bind to all interfaces (or a specific IP)
sudo nano /etc/kibana/kibana.yml

server.host: "0.0.0.0"
elasticsearch.hosts: ["http://127.0.0.1:9200"]

Enable and start the service:

sudo systemctl enable kibana
sudo systemctl start kibana

Open http://YOUR_VPS_IP:5601 in a browser. The default login is elastic with a password generated during installation (check /etc/kibana/kibana.yml or run sudo /usr/share/kibana/bin/kibana-keystore list).

7. Install and Configure Filebeat on the Same VPS

Filebeat is a lightweight shipper that tails log files and forwards them to Logstash.

sudo apt install -y filebeat

# Enable the system module (collects /var/log/syslog, auth.log, etc.)
sudo filebeat modules enable system

# Adjust the module’s config to point to Logstash
sudo nano /etc/filebeat/modules.d/system.yml

output.logstash:
  hosts: ["127.0.0.1:5044"]

Test the configuration and start the service:

sudo filebeat test config
sudo systemctl enable filebeat
sudo systemctl start filebeat

8. Verify the Data Flow

After a minute, log entries should appear in Kibana.

  1. Log into Kibana (http://YOUR_VPS_IP:5601).
  2. Navigate to **Discover**.
  3. Select the index pattern filebeat-* (Kibana may prompt you to create one automatically).
  4. You should see recent syslog entries with fields like host.name, log.file.path, and message.

9. Secure the Stack

Even though Elasticsearch and Logstash listen only on localhost, Kibana is exposed. Harden it with a reverse proxy and HTTPS.

9.1 Install Nginx

sudo apt install -y nginx

9.2 Obtain a Free TLS Certificate

Use Certbot with Let’s Encrypt (replace example.com with your domain that points to the VPS).

sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d example.com

9.3 Proxy Kibana Through Nginx

sudo nano /etc/nginx/sites-available/kibana

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

sudo ln -s /etc/nginx/sites-available/kibana /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl restart nginx

Now access Kibana securely at https://example.com.

10. Optional: Add More Beats (Docker, Nginx, etc.)

Filebeat ships modules for many services. To collect Docker container logs, enable the Docker module:

sudo filebeat modules enable docker
sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["http://127.0.0.1:9200"]'
sudo systemctl restart filebeat

Conclusion

By following these steps you now have a fully functional ELK stack on a Linux VPS, capable of ingesting, parsing, and visualizing logs from any source that ships data via Beats. Centralized logging not only accelerates incident response but also provides a historical audit trail for compliance. Keep the stack updated, monitor its memory usage, and consider scaling Elasticsearch horizontally as log volume grows.

Tags:

Author

Devnix

Follow Me
Other Articles
No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *