Logging

Open Source Log Management

The Elastic Stack (sometimes known as the ELK Stack) is the most popular open source logging platform. Here's why.

Experience logging with Elastic. Try It Out

It’s Easy to Get Started With

With out-of-the-box support for common data sources and default dashboards to boot, the Elastic Stack is all about the it-just-works experience. Ship logs with Filebeat and Winlogbeat, index into Elasticsearch, and visualize it all in Kibana in minutes. Skip ahead to get started. (And if you don't see the module you need, build it or leverage the community. Open source for the win.)

You Can Watch Everything Unfold in Real Time

With Elasticsearch at the heart of the Elastic Stack, you benefit from fast response times, even at scale. Ask a question and get an answer quickly. Lather. Rinse. Repeat. Don't get stuck waiting...for dashboards...to load… .

Other
search...
0 matched | 0 scanned
0 Unique Request
Elastic
search...
hits
Unique Request

It Scales with You. Tail a Few Files, or Billions.

The experience you have on one laptop is the same you'll have on hundreds with a petabyte of data. You can skip the re-architecting headaches.

And don't worry about leaving valuable data on the floor. Ingest and index what's important to you and the decisions you need to make.

Try It Yourself

Grab a fresh installation, and start shipping and visualizing logs faster than you can microwave a burrito.
In Elasticsearch install directory:
Ctrl + C to Copy
Ctrl + C to Copy
Ctrl + C to Copy
Once Elasticsearch starts, in Elasticsearch install directory (separate window):
Ctrl + C to Copy

Note the password for elastic user as <es_pw>

Note the password for kibana user as <kibana_pw>

In Kibana install directory:
Ctrl + C to Copy

Modify config/kibana.yml to set credentials for Elasticsearch

elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_pw>"
			
Ctrl + C to Copy
In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<es_pw>"
			
Ctrl + C to Copy
Ctrl + C to Copy
What just happened?

Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing audit event types, accounts, and commands.

Didn't work for you?

Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for more details.

In Elasticsearch install directory:
Ctrl + C to Copy
Ctrl + C to Copy
Ctrl + C to Copy
Ctrl + C to Copy
Once Elasticsearch starts, in Elasticsearch install directory (separate window):
Ctrl + C to Copy

Note the password for elastic user as <es_pw>

Note the password for kibana user as <kibana_pw>

In Kibana install directory:
Ctrl + C to Copy

Modify config/kibana.yml to set credentials for Elasticsearch

elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_pw>"
			
Ctrl + C to Copy
In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<es_pw>"
			
Ctrl + C to Copy
Ctrl + C to Copy
What just happened?

Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start exploring common URLs, response codes, and user agent stats.

Didn't work for you?

Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for more details.

In Elasticsearch install directory:
Ctrl + C to Copy
Ctrl + C to Copy
Once Elasticsearch starts, in Elasticsearch install directory (separate window):
Ctrl + C to Copy

Note the password for elastic user as <es_pw>

Note the password for kibana user as <kibana_pw>

In Kibana install directory:
Ctrl + C to Copy

Modify config/kibana.yml to set credentials for Elasticsearch

elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_pw>"
			
Ctrl + C to Copy
In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<es_pw>"
			
Ctrl + C to Copy
Ctrl + C to Copy
Open browser @
http://localhost:5601 (login: elastic/<es_pw>)
Open dashboard:
What just happened?

Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start exploring database queries, error messages, and events overtime.

Didn't work for you?

Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for supported versions and configuration options.

In Elasticsearch install directory:
Ctrl + C to Copy
Ctrl + C to Copy
Once Elasticsearch starts, in Elasticsearch install directory (separate window):
Ctrl + C to Copy

Note the password for elastic user as <es_pw>

Note the password for kibana user as <kibana_pw>

In Kibana install directory:
Ctrl + C to Copy

Modify config/kibana.yml to set credentials for Elasticsearch

elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_pw>"
			
Ctrl + C to Copy
In Filebeat install directory inside a Docker container:

Modify filebeat.yml to send logs enhanced with Docker metadata to Elastic

filebeat.prospectors:
  - type: log
  paths:
    - '/var/lib/docker/containers/*/*.log'
  json.message_key: log
  json.keys_under_root: true
  processors:
  - add_docker_metadata: ~
output.elasticsearch:
  hosts: ["<elasticsearch_url>:9200"]
  username: "elastic"
  password: "<es_pw>"
			
Ctrl + C to Copy
Open browser @
http://localhost:5601 (login: elastic/<es_pw>)
Go to Discover to search logs for your application or service running in Docker
What just happened?

Filebeat created an index pattern in Kibana with defined fields for logs residing in the default directory where Docker puts logs from your applications (/var/lib/docker/containers/*/*.log), and enhanced them with Docker container metadata. You can now look at logs from Docker in one central place in Kibana.

Didn't work for you?

Filebeat Docker metadata processor can be tuned further for your use case. See the documentation for more information.

In Elasticsearch install directory:
Ctrl + C to Copy
Ctrl + C to Copy
Once Elasticsearch starts, in Elasticsearch install directory (separate window):
Ctrl + C to Copy

Note the password for elastic user as <es_pw>

Note the password for kibana user as <kibana_pw>

In Kibana install directory:
Ctrl + C to Copy

Modify config/kibana.yml to set credentials for Elasticsearch

elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_pw>"
			
Ctrl + C to Copy
In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<es_pw>"
			
Ctrl + C to Copy
From your machine or wherever you run kubectl:
  • Download filebeat-kubernetes.yml
  • Edit filebeat-kubernetes.yml to point to your Elasticsearch instance with credentials
env:
  - name: ELASTICSEARCH_USERNAME
    value: elastic
  - name: ELASTICSEARCH_PASSWORD
    value: changeme
			
Ctrl + C to Copy
Open browser @
http://localhost:5601 (login: elastic/<es_pw>)
Go to Discover to search your logs
What just happened?

Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start exploring your logs from your app and services running in Kubernetes.

Didn't work for you?

Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for supported versions and configuration options.

Download Elasticsearch MSI installer, Kibana.zip file, and Winlogbeat .zip file.

Run through the Elasticsearch MSI installer (leave X-Pack checked)

In Elasticsearch install directory:
Ctrl + C to Copy

Note the password for elastic user as <es_pw>

Note the password for kibana user as <kibana_pw>

Extract the contents of Kibana zip file, and in that directory:
Ctrl + C to Copy

Modify kibana.yml to set credentials for Elasticsearch

elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_pw>"
			
Ctrl + C to Copy
Extract the contents of Winlogbeat zip file, and in that directory:

Modify winlogbeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<es_pw>"
			
Ctrl + C to Copy
Open browser @
http://localhost:5601 (login: elastic/<es_pw>)
Open dashboard:
"Winlogbeat Dashboard"
What just happened?

Winlogbeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start exploring windows event log information.

Didn't work for you?

Winlogbeat module assumes default settings for Windows event logging. See the documentation for supported versions and configuration options.

In Elasticsearch install directory:
Ctrl + C to Copy
Once Elasticsearch starts, in Elasticsearch install directory (separate window):
Ctrl + C to Copy

Note the password for elastic user as <es_pw>

Note the password for kibana user as <kibana_pw>

In Kibana install directory:
Ctrl + C to Copy

Modify config/kibana.yml to set credentials for Elasticsearch

elasticsearch.username: "kibana"
elasticsearch.password: "<kibana_pw>"
			
Ctrl + C to Copy
In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<es_pw>"
			
Ctrl + C to Copy
Open browser @
http://<kibana_url>:5601 (login: elastic/<es_pw>)
Go to Discover to search your app logs
What just happened?

Filebeat created an index pattern in Kibana with defined fields for logs residing in the default path directory (/var/log). You can change the path in the filebeat.yml config file. You can now look at logs in one central place in Kibana.

Didn’t work for you?

See documentation for how to configure Filebeat to look at other files and directories.

  • Register, if you do not already have an account
  • Log into the Elastic Cloud console
To create a cluster, in Elastic Cloud console:
  • Select Create Cluster, leave size slider at 4 GB RAM, and click Create
  • Note the Cloud ID as <cloud.id>
  • Note the cluster Password as <password>
  • In Overview >> Endpoints section note Kibana URL as <kibana_url>
  • Wait until cluster plan completes

Download and unpack Filebeat

In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<password>"
				

Open browser @
http://<kibana_url>:5601 (login: elastic/<password>)
Open dashboard:
"[Filebeat System] Syslog dashboard"
What just happened?

Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start viewing audit event types, accounts, and commands.

Didn't work for you?

Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for more details.

  • Register, if you do not already have an account
  • Log into the Elastic Cloud console
To create a cluster, in Elastic Cloud console:
  • Select Create Cluster, leave size slider at 4 GB RAM, and click Create
  • Note the Cloud ID as <cloud.id>
  • Note the cluster Password as <password>
  • In Overview >> Endpoints section note Kibana URL as <kibana_url>
  • Wait until cluster plan completes

Download and unpack Filebeat

In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<password>"
			
Open browser @
http://<kibana_url>:5601 (login: elastic/<password>)
Open dashboard:
"[Filebeat Apache2] Access and error logs"
What just happened?

Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start exploring common URLs, response codes, and user agent stats.

Didn't work for you?

Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for more details.

  • Register, if you do not already have an account
  • Log into the Elastic Cloud console
To create a cluster, in Elastic Cloud console:
  • Select Create Cluster, leave size slider at 4 GB RAM, and click Create
  • Note the Cloud ID as <cloud.id>
  • Note the cluster Password as <password>
  • In Overview >> Endpoints section note Kibana URL as <kibana_url>
  • Wait until cluster plan completes

Download and unpack Filebeat

In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<password>"
				
Open browser @
http://<kibana_url>:5601 (login: elastic/<password>)
Open dashboard:
"[Filebeat MySQL] Overview"
What just happened?

Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start exploring database queries, error messages, and events overtime.

Didn't work for you?

Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for supported versions and configuration options.

  • Register, if you do not already have an account
  • Log into the Elastic Cloud console
To create a cluster, in Elastic Cloud console:
  • Select Create Cluster, leave size slider at 4 GB RAM, and click Create
  • Note the Cloud ID as <cloud.id>
  • Note the cluster Password as <password>
  • In Overview >> Endpoints section note Kibana URL as <kibana_url>
  • Wait until cluster plan completes

Download and unpack Filebeat

In Filebeat install directory:

Modify filebeat.yml to send logs enhanced with Docker metadata to Elastic

filebeat.prospectors:
  - type: log
  paths:
    - '/var/lib/docker/containers/*/*.log'
  json.message_key: log
  json.keys_under_root: true
  processors:
  - add_docker_metadata: ~
output.elasticsearch:
  hosts: ["<elasticsearch_url>:9200"]
  username: "elastic"
  password: "<password>"
				
Open browser @
http://<kibana_url>:5601 (login: elastic/<password>)
Go to Discover to search logs for your application or service running in Docker
What just happened?

Filebeat created an index pattern in Kibana with defined fields for logs residing in the default directory where Docker puts logs from your applications (/var/lib/docker/containers/*/*.log), and enhanced them with Docker container metadata. You can now look at logs from Docker in one central place in Kibana.

Didn't work for you?

Filebeat Docker metadata processor can be tuned further for your use case. See the documentation for more information.

  • Register, if you do not already have an account
  • Log into the Elastic Cloud console
To create a cluster, in Elastic Cloud console:
  • Select Create Cluster, leave size slider at 4 GB RAM, and click Create
  • Note the Cloud ID as <cloud.id>
  • Note the cluster Password as <password>
  • In Overview >> Endpoints section note Kibana URL as <kibana_url>
  • Wait until cluster plan completes

Download and unpack Filebeat

In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<password>"
				

From your machine or wherever you run kubectl:

env:
  - name: ELASTICSEARCH_USERNAME
    value: elastic
  - name: ELASTICSEARCH_PASSWORD
    value: changeme
				
Open browser @
http://<kibana_url>:5601 (login: elastic/<password>)
Go to Discover to search your logs
What just happened?

Filebeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start exploring your logs from your app and services running in Kubernetes.

Didn't work for you?

Filebeat module assumes default log locations, unmodified file formats, and supported versions of the products generating the logs. See the documentation for more details.

  • Register, if you do not already have an account
  • Log into the Elastic Cloud console
To create a cluster, in Elastic Cloud console:
  • Select Create Cluster, leave size slider at 4 GB RAM, and click Create
  • Note the Cloud ID as <cloud.id>
  • Note the cluster Password as <password>
  • In Overview >> Endpoints section note Kibana URL as <kibana_url>
  • Wait until cluster plan completes

Download Winlogbeat .zip file.

Extract the contents of Winlogbeat zip file, and in that directory:

Modify winlogbeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<password>"
				
Open browser @
http://<kibana_url>:5601 (login: elastic/<password>)
Open dashboard:
"Winlogbeat Dashboard"
What just happened?

Winlogbeat created an index pattern in Kibana with defined fields, searches, visualizations, and dashboards. In a matter of minutes you can start exploring windows event log information.

Didn't work for you?

Winlogbeat module assumes default settings for Windows event logging. See the documentation for supported versions and configuration options.

  • Register, if you do not already have an account
  • Log into the Elastic Cloud console
To create a cluster, in Elastic Cloud console:
  • Select Create Cluster, leave size slider at 4 GB RAM, and click Create
  • Note the Cloud ID as <cloud.id>
  • Note the cluster Password as <password>
  • In Overview >> Endpoints section note Kibana URL as <kibana_url>
  • Wait until cluster plan completes

Download and unpack Filebeat

In Filebeat install directory:

Modify filebeat.yml to set credentials for Elasticsearch output

output.elasticsearch:
  username: "elastic"
  password: "<password>"
				
Open browser @
http://<kibana_url>:5601 (login: elastic/<password>)
Go to Discover to search your app logs
What just happened?
Filebeat created an index pattern in Kibana with defined fields for logs residing in the default path directory (/var/log). You can change the path in the filebeat.yml config file. You can now look at logs in one central place in Kibana.
Didn't work for you?

See documentation for how to configure Filebeat to look at other files and directories.

Add Machine Learning to Automate Anomaly Detection

You shouldn't have to attend to every log message or transaction — just the ones that are important or noteworthy.

Elastic's machine learning features extend the Elastic Stack to automatically model the behavior of your Elasticsearch data and alert you on issues in real time.

Don't Just Take Our Word for It

At telecommunications giant Sprint, sysadmins used to comb through logs, run shell scripts, and grep for what they knew. Now, they use Elastic to quickly troubleshoot performance issues, improve customer satisfaction, simplify B2B relationships, and streamline retail systems.

They're not the only ones managing security events with Elastic. Explore more customer examples.

There's Life Beyond Logs

Have metrics? Proxy or firewall logs? Documents with tons of text? Centralize it all into the Elastic Stack to enrich your analyses, lower operational costs, and simplify your architecture.

Metrics

Do the numbers: CPU, memory, and more.

Learn More

Site Search

Easily create a great search experience for your site.

Learn More

Security Analytics

Interactive investigation at speed and scale.

Learn More

APM

Get insight into your application performance.

Learn More

App Search

Search across documents, geo data, and more.

Learn More