ELK stack cheatsheet
Services and ports
| Check | Description |
|---|---|
systemctl status elasticsearch logstash filebeat | All three services |
ss -tlnp | grep -E '9200|5044' | ES HTTP (9200), Logstash Beats (5044) |
curl -s localhost:9200 | ES cluster info JSON |
curl -s localhost:9200/_cluster/health?pretty | green / yellow / red |
Elasticsearch API
curl -s localhost:9200/_cat/indices?v # list indices
curl -s localhost:9200/_cat/shards?v # shard allocation
curl -s localhost:9200/_cat/nodes?v # cluster nodes
curl -s localhost:9200/logs-*/_search?size=5&pretty # search recent logs
curl -s localhost:9200/_cluster/allocation/explain?pretty # why shard unassigned
Filebeat config snippet
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
- /var/log/nginx/error.log
output.logstash:
hosts: ["logstash-host:5044"]
# Direct to ES (no Logstash):
# output.elasticsearch:
# hosts: ["localhost:9200"]
# index: "nginx-%{+yyyy.MM.dd}"
Logstash pipeline snippet
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "nginx-access-%{+YYYY.MM.dd}"
}
# stdout { codec => rubydebug } # debug only
}
Filebeat commands
| Command | Description |
|---|---|
filebeat test config | Validate filebeat.yml |
filebeat test output | Test Logstash/ES connectivity |
filebeat modules list | Available modules |
filebeat modules enable nginx | Enable nginx module |
filebeat setup | Load index templates (ES output) |
Logstash commands
| Command | Description |
|---|---|
/usr/share/logstash/bin/logstash -t | Test config syntax |
/usr/share/logstash/bin/logstash -e 'input { stdin {} } output { stdout {} }' | Quick stdin test |
journalctl -u logstash -f | Pipeline errors live |
Useful Query DSL
# POST localhost:9200/logs-*/_search
{
"query": {
"bool": {
"must": [
{ "match": { "message": "error" } },
{ "range": { "@timestamp": { "gte": "now-1h" } } }
]
}
},
"size": 20,
"sort": [{ "@timestamp": "desc" }]
}
Index maintenance
# Delete indices older than 30 days (example — verify names first!)
curl -X DELETE "localhost:9200/logs-2024.05.*"
# Force merge (off-peak only)
curl -X POST "localhost:9200/logs-2024.06.24/_forcemerge?max_num_segments=1"
Pro tips
- Yellow on a single-node cluster is normal — unassigned replicas, not data loss
- Test Logstash with
rubydebugstdout before wiring Elasticsearch output filebeat test outputcatches firewall/DNS issues faster than reading logs- Use daily indices + ILM instead of one giant index
- Grok failures add
_grokparsefailuretag — search for it when fields are missing
Practice scenarios
Hands-on ELK Stack scenarios on live Linux VMs: elk