A comprehensive learning resource for mastering Elasticsearch, Logstash, and Kibana (ELK Stack) with hands-on tutorials, configuration examples, and best practices for search, analytics, and observability implementations.
- About This Repository
- ELK Stack Components
- Getting Started
- Core Concepts
- Use Cases
- Installation & Setup
- Learning Paths
- Advanced Topics
- Course Recommendations
- Contributing
This repository serves as a complete learning hub for the Elastic Stack (ELK), covering:
β
Elasticsearch fundamentals - Indexing, querying, and optimization
β
Search & Analytics - Building search relevance and behavioral analytics
β
Observability - Monitoring logs, metrics, traces, and infrastructure
β
Production deployments - Architecture, scaling, and high availability
β
Real-world examples - Configuration files, integration guides, and use cases
Whether you're a newcomer to log management or preparing for Elastic certification exams, this resource provides structured learning with practical, executable examples.
The powerful search and analytics engine at the heart of the stack.
Key capabilities:
- Full-text search with relevance ranking
- Near real-time data indexing and retrieval
- Distributed architecture for horizontal scaling
- Advanced aggregations for analytics
- RESTful JSON API
- Built-in security (authentication, encryption, RBAC)
Use in this repo: Index management, query DSL examples, mapping strategies
The data processing and enrichment pipeline.
Key capabilities:
- Multi-source data collection (logs, metrics, events)
- Powerful filtering and transformation
- Output flexibility (Elasticsearch, databases, message queues)
- Over 200 built-in plugins
- Conditional processing logic
Use in this repo: Configuration examples for common log sources, filter patterns, parsing strategies
The visualization and exploration interface.
Key capabilities:
- Interactive dashboards and visualizations
- Discover UI for ad-hoc data exploration
- Advanced alerting and anomaly detection
- ES|QL query language for powerful searches
- Canvas for custom reporting
Use in this repo: Dashboard examples, visualization patterns, monitoring setup
Before diving into this learning resource, ensure you have:
- Linux/macOS/Windows with Docker or native Java 11+ installed
- Basic command-line proficiency
- Understanding of JSON format
- 2GB+ RAM for local development setup
# Clone this repository
git clone https://github.com/mirajgodha/elastic-stack.git
cd elastic-stack
# Deploy ELK Stack with Docker
docker-compose up -d
# Verify installation
curl http://localhost:9200
curl http://localhost:5601 # Kibana at http://localhost:5601For Ubuntu/Debian-based systems:
# Install Elasticsearch
curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | \
sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update
sudo apt-get install elasticsearch kibana logstash
# Start services
sudo systemctl start elasticsearch
sudo systemctl start kibana
sudo systemctl start logstashVerification:
- Elasticsearch:
curl http://localhost:9200β Returns cluster info - Kibana: Visit
http://localhost:5601in your browser - Logstash: Check
/var/log/logstash/logstash-plain.log
Elasticsearch stores data as JSON documents organized in indices (analogous to database tables):
{
"user": "john_doe",
"timestamp": "2025-01-10T14:30:00Z",
"action": "login",
"ip_address": "192.168.1.1",
"response_time_ms": 145
}Key concepts:
- Index: Logical container for documents (e.g.,
logs-2025-01-10) - Document: Individual record with unique
_id - Shard: Physical partition of an index for scaling
- Replica: Copy of a shard for fault tolerance
- Mapping: Schema defining field types and analyzers
Elasticsearch uses a powerful, flexible query syntax:
{
"query": {
"bool": {
"must": [
{ "match": { "action": "login" } }
],
"filter": [
{ "range": { "timestamp": { "gte": "2025-01-01" } } },
{ "term": { "status": "success" } }
]
}
}
}Common query types:
match- Full-text search with scoringterm- Exact value matchingrange- Numeric or date range filteringbool- Combine multiple queries with AND/OR logicaggregation- Group and summarize data
Text fields go through analysis to break into searchable tokens:
Input: "The quick brown fox"
β (Tokenizer)
["The", "quick", "brown", "fox"]
β (Token filters)
["the", "quick", "brown", "fox"] # lowercased
Proper analyzer configuration improves search relevance.
Centralize logs from all applications and infrastructure for real-time visibility:
What you'll learn:
- Collecting logs via Filebeat/Logstash from servers
- Parsing structured and unstructured logs
- Creating observability dashboards
- Setting up alerts for critical errors
- Troubleshooting performance issues
Example workflow:
Nginx logs β Filebeat β Logstash (parse) β Elasticsearch β Kibana dashboard
Build powerful search engines with intelligent relevance and behavioral insights:
What you'll learn:
- Creating search indices with proper mappings
- Implementing full-text search with relevance tuning
- Building behavioral analytics dashboards
- Analyzing search query patterns
- Improving search results with synonyms and boosting
Example dashboard metrics:
- Query volume and trends
- Click-through rates (CTR)
- Top search queries
- Search abandonment rates
- Result relevance metrics
Monitor the health and performance of your entire stack:
What you'll learn:
- Collecting metrics from hosts, containers, and Kubernetes
- Application Performance Monitoring (APM)
- Distributed tracing with OpenTelemetry
- Infrastructure health dashboards
- Alerting on anomalies and performance degradation
Key metrics tracked:
- CPU, memory, disk utilization
- Network I/O and latency
- Application response times
- Error rates and exceptions
- Database query performance
Detect and respond to security threats with log analysis:
What you'll learn:
- Parsing security logs (firewall, IDS, authentication)
- Detecting suspicious patterns
- Building threat intelligence dashboards
- Creating security alerts
- Compliance reporting
For real-world deployments, consider this architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Data Sources β
β (Apps, Servers, Containers, APIs) β
ββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β
ββββββββββββΌβββββββββββ
β Data Collection β
β (Filebeat/Metricbeatβ
β /Logstash) β
ββββββββββββ¬βββββββββββ
β
ββββββββββββββββΌβββββββββββββββ
β Elasticsearch Cluster β
β ββββββββββββββββββββββββββ β
β β Node 1 (Master+Data) β β
β β Node 2 (Master+Data) β β
β β Node 3 (Master+Data) β β
β ββββββββββββββββββββββββββ β
β (Sharding & Replication) β
ββββββββββββββββ¬βββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββ
β Kibana (Visualization) β
β Alerting & Reporting β
βββββββββββββββββββββββββββββββ
# Cluster settings
cluster.name: production-cluster
cluster.initial_master_nodes:
- node-1
- node-2
- node-3
# Node settings
node.name: node-1
node.roles: [master, data, ingest]
# Memory allocation (JVM)
# Edit jvm.options: -Xms4g -Xmx4g (50% of total RAM, max 32GB)
# Network
network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
# Index settings
index.number_of_shards: 5
index.number_of_replicas: 1
# Security (X-Pack)
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Performance
indices.memory.index_buffer_size: 40%
thread_pool.search.queue_size: 1000input {
beats {
port => 5000
codec => json
}
}
filter {
# Parse timestamps
date {
match => [ "timestamp", "ISO8601" ]
target => "@timestamp"
}
# Extract fields
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
# Filter out noise
if [status] =~ /^(200|304)$/ and [request_path] =~ /^\/(health|ping)$/ {
drop { }
}
# Add enrichment
geoip {
source => "client_ip"
}
# Mutate
mutate {
convert => { "response_time" => "integer" }
remove_field => [ "message" ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logs-%{+YYYY.MM.dd}"
user => "logstash_user"
password => "${LOGSTASH_PASSWORD}"
}
}
Create index templates for automated index management:
{
"index_patterns": ["logs-*"],
"settings": {
"number_of_shards": 3,
"number_of_replicas": 1,
"index.lifecycle.name": "log-retention-policy"
},
"mappings": {
"properties": {
"@timestamp": { "type": "date" },
"level": { "type": "keyword" },
"message": { "type": "text" },
"service": { "type": "keyword" },
"duration_ms": { "type": "long" }
}
}
}Perfect for DevOps engineers, system administrators, and platform teams.
Week 1-2: Fundamentals
- ELK Stack architecture and components
- Elasticsearch basics (indexing, querying, mapping)
- Installing and configuring Elasticsearch locally
Week 3-4: Data Collection
- Filebeat for log shipping
- Logstash pipeline creation and filters
- Parsing common log formats (JSON, syslog, Apache)
Week 5-6: Observability
- Creating operational dashboards in Kibana
- Setting up alerts for critical metrics
- Using ES|QL for advanced searching
- Monitoring log sources and pipelines
Week 7-8: Advanced Operations
- Cluster management and scaling
- Index lifecycle management (ILM)
- Performance tuning and optimization
- Backup and recovery strategies
Week 9-12: Production Deployment
- Security hardening and authentication
- High-availability architecture
- Disaster recovery planning
- Real-world case studies and troubleshooting
Capstone Project: Deploy a fully monitored multi-tier application stack
Ideal for search engineers, data engineers, and product teams.
Week 1-3: Elasticsearch Fundamentals
- Advanced query DSL
- Relevance tuning and scoring
- Custom analyzers and tokenization
- Aggregations and metrics
Week 4-5: Search Application Development
- Building search indices
- Implementing autocomplete and suggestions
- Typo tolerance and fuzzy matching
- Search result ranking and personalization
Week 6-7: Analytics & Insights
- Behavioral analytics implementation
- Query and click-through analytics
- Building custom dashboards
- A/B testing search changes
Week 8-10: Performance Optimization
- Query optimization techniques
- Index optimization strategies
- Caching and performance tuning
- Capacity planning and scaling
Week 11-14: Advanced Features
- Machine learning for anomaly detection
- Semantic search with vector embeddings
- Search quality metrics and monitoring
- Production search systems architecture
Capstone Project: Build a search application with analytics and relevance optimization
Designed for SREs, infrastructure engineers, and operations teams.
Week 1-2: Observability Foundations
- Three pillars of observability (logs, metrics, traces)
- OpenTelemetry integration
- Telemetry collection strategies
Week 3-5: Metrics & Infrastructure Monitoring
- Metricbeat for infrastructure metrics
- Prometheus to Elasticsearch integration
- Host and container monitoring
- Resource utilization dashboards
Week 6-8: Logs & Event Data
- Advanced log parsing and enrichment
- Structured logging best practices
- Anomaly detection with Elastic ML
- Root cause analysis workflows
Week 9-11: Distributed Tracing & APM
- Application Performance Monitoring setup
- OpenTelemetry instrumentation
- Trace sampling strategies
- Service dependency mapping
Week 12-16: Incident Response & SLOs
- Alert design and tuning
- Runbook integration
- Service Level Objectives (SLOs)
- On-call automation and escalation
- Post-incident analysis
Capstone Project: Design a complete observability platform for microservices
Problem: Slow queries impacting dashboard performance
Solutions in this repo:
- Query profiling techniques
- Index design for query performance
- Filter cache optimization
- Query DSL best practices
- Pagination strategies
# Profile a query
curl -X GET "localhost:9200/logs-*/_search?pretty" \
-H 'Content-Type: application/json' \
-d '{
"profile": true,
"query": { "match": { "message": "error" } }
}'Automate index rollover, optimization, and deletion:
{
"policy": "log-retention",
"phases": {
"hot": {
"min_age": "0d",
"actions": {
"rollover": { "max_primary_shard_size": "50GB" }
}
},
"warm": {
"min_age": "7d",
"actions": {
"set_priority": { "priority": 50 }
}
},
"cold": {
"min_age": "30d",
"actions": {
"searchable_snapshot": {}
}
},
"delete": {
"min_age": "90d",
"actions": {
"delete": {}
}
}
}
}Key metrics to track:
- Cluster health status (green/yellow/red)
- Unassigned shards
- Active shards per node
- JVM heap usage
- Indexing rate and latency
- Query latency percentiles
# Monitor cluster health
curl -X GET "localhost:9200/_cluster/health?pretty"
# Get detailed stats
curl -X GET "localhost:9200/_nodes/stats?pretty"Components:
- Role-based access control (RBAC)
- User authentication
- Index-level security
- Field-level security
- Audit logging
# Create a read-only user for monitoring
POST /_security/user/monitoring_user
{
"password": "secure_password",
"roles": ["monitoring_user"],
"full_name": "Monitoring User"
}Use Elasticsearch ML for:
- Anomaly detection in metrics
- Forecasting future trends
- Unusual event detection
- Categorization of log messages
- Job scheduling and automation
To accelerate your mastery of the Elastic Stack and prepare for certification, we recommend the following courses from QuantumRoot:
Course URL: https://quantumroot.in/courses/elasticsearch-search-analytics
Perfect for: Search engineers, product teams, data engineers wanting to build intelligent search systems
What you'll master:
- β Advanced Elasticsearch query optimization
- β Building search relevance from scratch
- β Implementing behavioral analytics dashboards
- β Search quality metrics and monitoring
- β A/B testing and continuous improvement
- β Semantic search with vector embeddings
- β Production search architecture patterns
- β Real-world search system case studies
Certification: Prepare for Elastic Certified Analyst exam
Duration: 12-16 weeks (flexible, self-paced)
Key Benefits:
- Hands-on labs with real datasets
- Industry-standard best practices
- Access to instructors for guidance
- Certificate of completion recognized in the industry
Course URL: https://quantumroot.in/courses/elastic-elk-observability-engineer-certification-course
Perfect for: DevOps engineers, SREs, platform engineers, system administrators
What you'll master:
- β Complete Elastic Stack architecture and deployment
- β Infrastructure monitoring with Metricbeat
- β Application Performance Monitoring (APM)
- β OpenTelemetry integration and instrumentation
- β Distributed tracing and root cause analysis
- β Advanced alerting and anomaly detection
- β Service Level Objectives (SLOs) and reliability
- β Kubernetes and container monitoring
- β Incident response automation
- β Production deployment strategies
Certification: Elastic Certified Observability Engineer - Industry-recognized credential
Duration: 14-18 weeks (flexible, self-paced)
Key Benefits:
- Complete observability platform design
- Real-world incident scenarios
- Multi-cluster management
- Advanced troubleshooting techniques
- Exam practice tests included
- Career advancement with official certification
| Aspect | Benefit |
|---|---|
| Expert Instruction | Learn from certified Elastic professionals with years of production experience |
| Hands-On Labs | 50+ practical labs with real datasets and production scenarios |
| Certification Prep | Directly aligned with official Elastic certification exams |
| Industry Recognition | Credentials valued by top tech companies globally |
| Career Growth | Certified professionals earn 20-30% higher salaries on average |
| Lifetime Access | Course materials, updates, and community support forever |
| Job Placement | Access to QuantumRoot's network of hiring partners |
For Search & Analytics Focus:
- Start with this repository's search optimization section
- Enroll in the Search & Analytics course
- Build a search project using real e-commerce or content data
- Pass the Elastic Certified Analyst exam
For Observability & Operations Focus:
- Begin with this repository's log management and monitoring sections
- Enroll in the Observability Engineer course
- Deploy a production observability stack
- Earn the Elastic Certified Observability Engineer credential
For Full Mastery (Recommended):
- Complete both courses sequentially
- Gain expertise across all ELK Stack components
- Become a versatile Elastic engineer
- Unlock advanced career opportunities
elastic-stack/
βββ README.md # This file
βββ docker-compose.yml # Quick local setup
βββ elasticsearch/
β βββ config/
β β βββ elasticsearch.yml # Configuration reference
β βββ mappings/
β β βββ logs-mapping.json # Log index mapping
β β βββ metrics-mapping.json # Metrics mapping
β β βββ search-mapping.json # Search index mapping
β βββ index-templates/
β β βββ logs-template.json # Auto-create log indices
β β βββ metrics-template.json # Auto-create metric indices
β βββ queries/
β βββ basic-queries.md # Query DSL examples
β βββ aggregations.md # Analytics aggregations
β βββ optimization.md # Performance tips
βββ logstash/
β βββ pipelines/
β β βββ apache-logs.conf # Apache/Nginx parsing
β β βββ json-logs.conf # JSON log processing
β β βββ syslog.conf # System log parsing
β β βββ multi-line.conf # Complex log handling
β βββ filters/
β β βββ grok-patterns.md # Custom patterns
β β βββ enrich-examples.md # Data enrichment
β βββ logstash.yml # Configuration reference
βββ kibana/
β βββ dashboards/
β β βββ observability.json # Ops monitoring dashboard
β β βββ search-analytics.json # Search metrics
β β βββ security.json # Security events
β βββ visualizations/
β β βββ charts-examples.md # Visualization types
β β βββ canvas-examples.md # Canvas tutorials
β βββ saved-searches/
β βββ log-analysis.json # Common search patterns
β βββ troubleshooting.json # Debugging queries
βββ filebeat/
β βββ filebeat.yml # Configuration
β βββ modules/
β βββ nginx-config.yml # Nginx log collection
β βββ system-config.yml # System metrics
β βββ docker-config.yml # Container logs
βββ metricbeat/
β βββ metricbeat.yml # Configuration
β βββ modules/
β βββ system.yml # Host metrics
β βββ docker.yml # Container metrics
β βββ elasticsearch.yml # Cluster monitoring
βββ examples/
β βββ log-aggregation/ # Centralized logging setup
β βββ search-engine/ # Search implementation
β βββ apm-setup/ # Application monitoring
β βββ alerting/ # Alert configuration
βββ scripts/
β βββ setup.sh # Automated installation
β βββ backup.sh # Snapshot automation
β βββ test-queries.sh # Query testing
βββ docs/
βββ architecture.md # System design
βββ troubleshooting.md # Common issues
βββ performance-tuning.md # Optimization guide
βββ security.md # Security hardening
βββ elk-certification-guide.md # Exam preparation
Scenario: Monitor logs from 50+ microservices in Kubernetes
Architecture:
Kubernetes Pods
β
Filebeat (DaemonSet)
β
Logstash (Stateless)
β
Elasticsearch (Cluster)
β
Kibana (Discovery & Alerting)
See examples in: examples/log-aggregation/
Scenario: E-commerce search with relevance ranking and autocomplete
Key features:
- Fuzzy matching for typo tolerance
- Custom scoring based on popularity
- Real-time suggestions
- Search analytics tracking
See examples in: examples/search-engine/
Scenario: Monitor microservices performance, latency, and errors
Metrics tracked:
- Request latency (p50, p95, p99)
- Error rates by service
- Database query performance
- External API response times
See examples in: examples/apm-setup/
Scenario: Detect anomalies and notify teams automatically
Alert types:
- Threshold-based (e.g., error rate > 5%)
- Anomaly detection (unusual patterns)
- Composite alerts (multiple conditions)
- ML-powered predictions
See examples in: examples/alerting/
Problem: Elasticsearch crashes immediately after startup
Solutions:
- Check JVM memory:
elasticsearch.ymlshould have-Xmsand-Xmxset to β€50% of available RAM - Verify disk space: Need at least 1GB free (preferably 10GB+)
- Check network binding: Ensure ports 9200 and 9300 are available
- Review logs:
journalctl -u elasticsearch -for logs in/var/log/elasticsearch/
Problem: Dashboards taking >5 seconds to load
Solutions:
- Profile the query: Use
_profileendpoint - Add filters to reduce data scanned
- Increase shard count for parallelization
- Use aggregations instead of all raw data
- Consider index optimization or sampling
Problem: Events not appearing in Elasticsearch
Solutions:
- Verify Logstash pipeline:
bin/logstash -f pipeline.conf --config.test_and_exit - Check logs: Monitor Logstash log output
- Verify Elasticsearch connectivity: Ensure
elasticsearchhost and credentials are correct - Test input source: Send test data manually
Problem: JVM heap continuously growing or OOM errors
Solutions:
- Reduce
indices.memory.index_buffer_sizein Elasticsearch - Lower
bulk_sizein Logstash - Implement aggressive index lifecycle management
- Scale horizontally with more nodes
- Monitor with
_nodes/statsendpoint
Problem: Replicas not being assigned
Solutions:
- Check available nodes: Unbalanced clusters may prevent replica placement
- Verify shard allocation:
_cluster/allocation/explain - Increase node count if necessary
- Review
index.number_of_replicassetting
- JVM heap set to 4-16GB (not more than 32GB)
- Heap to non-heap ratio properly balanced
- GC logging enabled for monitoring
- Swap disabled to prevent GC pauses
- Number of shards optimized (3-5 per 2GB heap)
- Proper mapping with correct field types
- Index statistics updated regularly
- Hot-warm-cold architecture implemented for time-series data
-
batch.sizeconfigured (50-100 typical) -
pipeline.workersmatches CPU count - Grok patterns optimized for your data
- Unnecessary filters removed
- Bulk API enabled for Elasticsearch output
- Dead letter queue configured
- Monitoring enabled with metrics
- Index pattern configured efficiently
- Saved searches cached
- Dashboard queries optimized
- Visualization sampling used for large datasets
- Canvas reports use timeseries data
- Browser caching enabled
-
Enable X-Pack Security
xpack.security.enabled: true xpack.security.transport.ssl.enabled: true xpack.security.http.ssl.enabled: true
-
Configure TLS/SSL
- Generate certificates using
elasticsearch-certutil - Configure for transport and HTTP layers
- Verify certificate validity
- Generate certificates using
-
Create Users and Roles
# Create a user curl -X POST "localhost:9200/_security/user/app_user?pretty" \ -H 'Content-Type: application/json' \ -d '{ "password": "l=Zs{3Edta9ZjISb", "roles": ["app_role"], "full_name": "Application User" }'
-
Implement Network Security
- Firewall rules to restrict access
- Private network for cluster communication
- VPN or bastion hosts for remote access
-
Enable Audit Logging
xpack.security.audit.enabled: true xpack.security.audit.logfile.events.include: - access_denied - access_granted - connection_granted
We welcome contributions! Areas we need help with:
- Additional Logstash pipeline configurations
- Dashboard examples for different use cases
- Performance tuning documentation
- Multi-language client examples
- Container orchestration guides
- Troubleshooting scenarios and solutions
- Certification exam preparation materials
To contribute:
- Fork the repository
- Create a feature branch
- Add your examples/documentation
- Submit a pull request with clear descriptions
This repository complements official Elastic certification exams:
- Search and query optimization
- Relevance tuning
- Analytics implementation
- Practical lab environment
- Infrastructure monitoring
- Log aggregation and analysis
- Application performance monitoring
- Production deployment and management
Recommended Path:
- Study this repository's examples
- Enroll in corresponding QuantumRoot courses
- Complete all hands-on labs and projects
- Take practice exams
- Schedule official certification exam
This learning repository is provided under the MIT License.
For questions about:
- This repository: Open an issue on GitHub
- Course enrollment: Visit QuantumRoot
- Certification exam prep: Contact Elastic directly
- Technical issues: Check troubleshooting guide or community forums
- β Star this repository to stay updated
- π Watch for new examples and documentation
- π§ Subscribe for release notifications
- π¬ Participate in discussions and issues
Last Updated: January 2025
Maintainer: Miraj Godha
Elastic Stack Version: 8.0+
This repository is built on:
- Official Elastic documentation and best practices
- Community examples and patterns
- Real-world production experiences
- Feedback from Elastic engineers and community members
Thank you for using this learning resource. Happy learning and building with the Elastic Stack! π