DigitalOcean 1-Click Application Images
Contents
How To Use the DigitalOcean ELK Stack One-Click Application
How To Use the DigitalOcean ELK Stack One-Click Application
We hope you find this tutorial helpful. In addition to guides like this one, we provide simple cloud infrastructure for developers. Learn more →

How To Use the DigitalOcean ELK Stack One-Click Application

PostedJanuary 28, 2015 56k views Logging One-Click Install Apps DigitalOcean Ubuntu

This One-Click is no longer available - But you can still run ELK on DigitalOcean!

The best way to get started today is to reference one of the below tutorials, covering installation of the ELK stack (that is, Elasticsearch 2.3.x, Logstash 2.3.x, and Kibana 4.5.x) starting from a new Ubuntu or Centos server.

UBUNTU USERS: CENTOS USERS:
ELK Stack on Ubuntu How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 16.04 ELK Stack on CentOS How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Centos 7

The DigitalOcean ELK Stack One-Click Application provides you with a quick way to launch a centralized logging server. The ELK Stack is made up of three key pieces of software: Elasticsearch, Logstash, and Kibana. Together they allow you to collect, search, and analyze logs files from across your infrastructure. Logstash collects and parses the incoming logs, Elasticsearch indexes them, and Kibana gives you a powerful web interface to visualize the data.

This tutorial will show you how to launch an ELK instance and set up Filebeat on your other servers to send their logs to your new centralized logging server.

Creating the ELK Stack Droplet

To begin using it, simply create a droplet and specify your hostname and size. It’s recommended that you run ELK Stack on at least a 2GB droplet.

Select your desired region:

Select ELK Stack on Ubuntu 14.04 from the Applications tab:

If you use SSH keys to manage your droplets, which are more secure than passwords and are recommended, you can also specify which ones you want added to this server.

Access Your Kibana Credentials

Once your server has been spun up, you will be able to access the Kibana frontend in a web browser via its IP address. However, this has been password protected. In order to retrieve the randomly generated password, you will need to access the server via the command line.

You can log into your droplet with the following command:

ssh root@your_ip_address

If you are prompted for a password, type in the password that was emailed to you when the server was created. Alternately, if you set up the droplet with SSH keys, you can go ahead and log in without the need for a password.

Once you are logged in, you will see the message of the day (MOTD) which contains your password. It will look like this:

-------------------------------------------------------------------------------------
Thank you for using DigitalOcean's ELK Stack Application.

Your Kibana instance can be accessed at http://xxx.xxx.xx.xxx/
Your Kibana login credentials are:
Username: admin
Password: XXXXXXXXXX
-------------------------------------------------------------------------------------

Now that you have your login credentials, you can access Kibana by entering its IP address in your browser and providing your username and password.

Using Kibana

Kibana is highly configurable. You can create custom dashboards with filtered searches and visualizations of you data. By default, the ELK One-Click is set up to collect the syslog and Nginx access log from the droplet itself. So you should already have data to look at when you first login.

In order to begin viewing your data, you first must configure an index pattern. This can be done by selecting [filebeat]-YYY.MM.DD from the Index Patterns menu on the left and then clicking the Star button to set it as the default index.

Click Discover in the top navigation bar to view the logs that have already been created:

To explore more ways to visualize your data, check out the following tutorial:

Forwarding Logs

In order to send logs to your ELK server, you will need to install and configure Filebeat on your other servers. This tutorial is focused on installing it on Ubuntu, but you can also forward logs from servers running CentOS as well.

We will now configure a client server to send it's syslog to your ELK server.

Installing The SSL Certificate

In order to encrypt traffic when sending your logs to your ELK server, a self-signed SSL certificate is created on first boot. You must install this certificate on each client server. On your ELK server, run this command to copy the SSL certificate to a client server:

  • scp /etc/pki/tls/certs/logstash-forwarder.crt user@client.ip.address:/tmp

The SSL certificate will now be present in the /tmp folder on the client server. Now you must install it to the correct directory:

sudo mkdir -p /etc/pki/tls/certs
sudo cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/

Installing Filebeat

On client server, add the Logstash Forwarder repository to your APT sources and download its signing key:

  • wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -

  • echo 'deb https://packages.elastic.co/beats/apt stable main' | sudo tee /etc/apt/sources.list.d/filebeat.list

Then install the Logstash Forwarder package:

  • sudo apt-get update

  • sudo apt-get install filebeat

Next, you will want to ensure that Logstash Forwarder will automatically start on boot:

  • sudo update-rc.d filebeat defaults

Configure Filebeat

On the client server, create and edit Logstash Forwarder's configuration file, which is in YAML format:

  • sudo nano /etc/filebeat/filebeat.yml

The file will include many commented out options. Here we will use the defaults in most cases. We will configure Filebeat to connect to your ELK server on port 5044 and use the SSL certificate that you installed earlier. The paths section specifies which log files to send, and the document_type section specifies that these logs are of type "syslog" (which is the type that our filter is looking for).

Removing the commented out options and substituting in your ELK server's IP address for elk_server_IP, your Filebeat configuration would look like:

filebeat:
  prospectors:
    -
      paths:
        - /var/log/auth.log
        - /var/log/syslog
      input_type: log
      document_type: syslog
output:
  logstash:
    hosts: ["elk_server_IP:5044"]
    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

Save and quit. Now restart Filebeat to put our changes into place:

sudo service filebeat restart

Now Filebeat is sending syslog to your ELK Server!

Automatically Install On New Droplets

You will need to repeat this process for all of your other existing servers that you wish to gather logs for, but you can streamline this process when you create a new server using DigitalOcean's metadata service. When creating a new droplet, you can provide a cloud-config file which will automatically configure Logstash Forwarder as your droplet first boots.

In order to do so, you must copy the contents of the SSL certificate from your ELK server. You can view the file by running:

cat /etc/pki/tls/certs/logstash-forwarder.crt

Now you can create a cloud-config file automating the steps we took above:

#cloud-config
write_files:
  - content: |
      -----BEGIN CERTIFICATE-----
      MIIDXTCCAkWsdERgfgIJAP1eIkzku0apMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
      BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
      aWRnaXRzIFB0eSBMdGQwHhcNMTQxMjA0MjExNDQ4WhcNMjQxMjAxMjExNDQ4WjBF
      MQswCQYDVQQGEwJBVTETSDFUIQUECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
      ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
      CgKCAQEAo3I1IQzaZPFHdfgSes3uqcan8EqcObLy8nFPqHn8fmLT+AfA4JnVSB6S
      dl/qYOUoKI4mFaQROhaC+VWV2E0sB42pv5jKZfC8orHTuY23eXnZFeajGVqIQhu3
      4VIv56l/nSnS30t/ryPAyDqrb+hPT1HNc92ruobTLlKl1XVgBfHqldUHVHPk99Gv
      xRLQQKg/EIZkFyGYMi770N9vR3usBuaAuPX78RmNGoiNYRAJDKJ2vvU86mGqoMow
      Bw9mICaVv94P9z8vROPHI1IZnlKKjDKqvSvfyR1J4H2hCP6yoGmYbz9DHfOqnWie
      J1u7DZ5YeIgZIy2TWqaaTVDgwjb3AwIFGWSUo1AwTjAdBgNVHQ4EFgQUXsvZ6xD7
      1PfKJbPBmYHnUsWsZ5UwHwYDVR0jBBgwFoAUXsvZ6xD71PfKJbPBmYHnUsWsZ5Uw
      DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAdqnijWlcsbk8A1L4yfQa
      Dm172P7hatN3fh4lmPoVsd5sMPmYsYOFZ6Vk9MIFg+ibeV42n+OtYb31lJq76nKF
      IYR+zuDyEAVkmZEA7Sb3zQDGH0qqC12ztiAbBw+XsD3s1a8VaqHk3AuvD35xURKK
      +fy2kbnoFZ0yFsDcr+h442PVrvShMYtKcVKquuHs8TJolON3bvZCLyK0YqHtnHPN
      QoWI5Si7ojsSnUPLBZqaSGUQu8UipMLJk+HvbbVt1purI3mH3/tB3D1gnSiTGRGD
      vXvw8/qDgPAT5fWW5OniVWUsYlNNs2irTqTSI7aBh6QPcxpmcOFkctsRTSWz/Mrz
      qQ==
      -----END CERTIFICATE-----
    path: /etc/pki/tls/certs/logstash-forwarder.crt
  - content: |
      filebeat:
        prospectors:
          -
            paths:
              - /var/log/auth.log
              - /var/log/syslog
            input_type: log
            document_type: syslog
      output:
        logstash:
          hosts: ["HOST_IP_ADDR:5044"]
          tls:
            certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
    path: /etc/filebeat/filebeat.yml
runcmd:
  - wget -O - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -
  - echo 'deb https://packages.elastic.co/beats/apt stable main' | sudo tee /etc/apt/sources.list.d/filebeat.list
  - sudo apt-get update
  - sudo apt-get install filebeat
  - sudo update-rc.d filebeat defaults
  - sudo service filebeat start

Make sure to replace the contents of the certificate with your own, including the lines with BEGIN and END, as well as the IP address of your ELK server.

Now, when creating a new droplet, you can paste this file into the Enable User Data field:

As your new server comes online, new data will start flowing to your ELK server and be visible in Kibana.

Further information

In order to process the logs it receives, Logstash needs to filter the files and extract formatted data as different log files have very different formats. These filters are installed to /etc/logstash/conf.d/ By default, the ELK Stack application has filters for syslog and for Nginx's access log. For instance, here is /etc/logstash/conf.d/10-syslog.conf

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

For more information on how to write Logstash filters, and an example Apache filter, check out this tutorial:

This One-Click is no longer available - But you can still run ELK on DigitalOcean!

The best way to get started today is to reference one of the below tutorials, covering installation of the ELK stack (that is, Elasticsearch 2.3.x, Logstash 2.3.x, and Kibana 4.5.x) starting from a new Ubuntu or Centos server.

UBUNTU USERS: CENTOS USERS:
ELK Stack on Ubuntu How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 16.04 ELK Stack on CentOS How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Centos 7

Tutorial Series

DigitalOcean 1-Click Application Images

This series links all of the DigitalOcean 1-Click Application images into a cohesive list. Articles are listed in the order that the images are shown on the create droplet screen. New articles are added as more application images are published.

  • How To Use the DigitalOcean One-Click to Install Redmine on Ubuntu 14.04 Image

    June 5, 2014
    ARCHIVED: We have created a one-click Redmine 2.5 installation that uses Nginx/MySQL/Ruby on Rails on Ubuntu 14.04 x64. Redmine is a free and open source project management software to assist with projects, bug-tracking. It supports a variety of version control system. Using the one click image, you will be able to get redmine up and running quickly and painlessly.

  • How To Use the WordPress One-Click Install on DigitalOcean

    May 29, 2014
    ARCHIVED: We have created a one-click Wordpress installation with permalinks enabled that uses Apache/MySQL/PHP on Ubuntu 16.04 x64.

  • How To Use the Django One-Click Install Image for Ubuntu 14.04

    May 15, 2014
    Django is a high-level Python framework for developing web applications rapidly. DigitalOcean's Django One-Click app quickly deploys a preconfigured development environment to your VPS employing Django, Nginx, Gunicorn, and Postgres.

  • How To Use the DigitalOcean Docker Application

    September 20, 2013
    ARCHIVED: So you’d like to try out Docker to create and run some services as containers? Thanks to DigitalOcean’s one-click “application” installation, you can create a droplet with Docker pre-installed, running and ready to go!

  • How to Use the DigitalOcean Dokku Application

    November 24, 2013
    We’re going to show you how simple it is to get started with step-by-step instructions. By the end, you’ll have a Heroku-style application running on a DigitalOcean Droplet, deployed via Git, and a Dokku instance ready for more.

  • How To Use the GitLab One-Click Install Image to Manage Git Repositories

    November 12, 2013
    Git is the most popular distributed version control system in the world. GitLab is a git repository management system that can be used to mange repositories, users, access, and issues from within an easy-to-use web interface. In this article, we will cover how to use DigitalOcean's one-click GitLab installation image.

  • How To Use the DigitalOcean Ghost Application for Ubuntu 16.04

    October 14, 2013
    ARCHIVED: Ghost is a light-weight open-source blogging platform. It's fully customizable and has many themes available. Using DigitalOcean's one-click Ghost application, you can create a Droplet with Ghost pre-installed and running in just a few minutes.

  • How To Use the MEAN One-Click Install Image

    September 23, 2014
    ARCHIVED: MEAN is a quick start boilerplate for creating applications based on MongoDB, Node.js, Express, and AngularJS. DigitalOcean's MEAN One-Click Application pre-installs the Mean.js implementation of the stack. It also comes with the front-end package manager bower and grunt, a tool for automating JavaScript tasks. Together, these tools provide a solid base to build your web application.

  • How to Use the DigitalOcean One-Click Drupal Image

    September 19, 2014
    ARCHIVED: We have created a one-click Drupal installation which uses Nginx, php-fpm, and MySQL on Ubuntu 14.04 x64. This tutorial will guide you through adding enhancements like the PHP 5.5 opcode cache, php-fpm, and Nginx to ensure solid performance.

  • How To Use the Magento One-Click Install Image

    October 1, 2014
    DigitalOcean's Magento One-Click application provides a quick start to building a Magento storefront on top of a LAMP stack. This tutorial will guide you through the steps to finish configuring your site, including setting your domain name and installing an SSL certificate.

  • How To Use the ownCloud One-Click Install Application

    October 29, 2014
    DigitalOcean's ownCloud One-Click application provides a quick way to set up file sharing and other cloud services on a server you control. This tutorial will guide you through the steps to finish configuring your site, including setting your domain name, installing an SSL certificate, and enabling file encryption.

  • How To Use the MongoDB One-Click Application

    February 24, 2015
    ARCHIVED: MongoDB is a highly-scalable NoSQL database with a document-based data model and an expressive query language. DigitalOcean's MongoDB One-Click application allows you to quickly spin up a droplet with MongoDB pre-installed. It aims to help get your application off the ground quickly.

  • How to use the MediaWiki One-Click Application Image

    December 22, 2014
    ARCHIVED: MediaWiki is a free and open source program that allows users to create their own personal wiki sites. This tutorial guides the user through creating and setting up a MediaWiki site using the MediaWiki One-Click Application image.

  • How To Use the DigitalOcean ELK Stack One-Click Application

    December 10, 2014
    The DigitalOcean ELK Stack One-Click Application provides you with a quick way to launch a centralized logging server. The ELK Stack is made up of three key pieces of software: Elasticsearch, Logstash, and Kibana. Together they allow you to collect, search, and analyze logs files from across your infrastructure. Logstash collects and parses the incoming logs, Elasticsearch indexes them, and Kibana gives you a powerful web interface to visualize the data.

  • How to Use the Ruby on Rails One-Click Application on DigitalOcean

    September 23, 2014
    ARCHIVED: DigitalOcean's Ruby on Rails One-click application provides a convenient way to get your Rails application running on an Ubuntu server. With Nginx, Unicorn, and Postgres all pre-installed, the One-click is a great base for hosting your app. In this tutorial, we'll show you how to create a Droplet, where to find the usernames and passwords, and how to restart the key services on the Droplet.

Spin up an SSD cloud server in under a minute.

Simple setup. Full root access. Straightforward pricing.

Deploy Server

Related Tutorials

32 Comments

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.