Here’s the guide to deploy Elastic Stack on Ubuntu VPS, with secure access, HTTPS proxying, and service optimization.

Table of Contents

What is Elastic Stack?

Also known as ELK Stack, the Elastic Stack is a collection of tools for securely taking data from any source and format to search, analyze, and visualize it. The core components are Elasticsearch (a search and analytics engine), Kibana (for visualization), Beats (data shippers), and Logstash (a data ingestion pipeline). It is widely used for use cases like log management, security, observability, and business analytics.

🧭 Full Guide: Deploy Elastic Stack on Ubuntu VPS

✅ Works on Ubuntu 22.04 LTS or later

The Elastic Stack (formerly ELK Stack) consists of:

Elasticsearch – data storage and search engine
Logstash – data ingestion and processing pipeline
Kibana – web-based data visualization and management UI

⚙️ Prerequisites

Ubuntu VPS (with fresh install of 22.04+)
At least 4 GB RAM, 2 vCPUs minimum
Root or sudo access
Open ports (see: How to Open Ports on Linux Server)
- 9200 (Elasticsearch)
- 9300 (Elasticsearch transport)
- 5601 (Kibana)
- 5044 (Logstash input)
Optional: domain name for HTTPS proxying (e.g., search.example.com)

How to Deploy Elastic Stack on Ubuntu VPS

To deploy Elastic Stack on Ubuntu VPS, follow the steps outlined below:

🧩 System Update

sudo apt update && sudo apt upgrade -y sudo apt install apt-transport-https wget curl gnupg ufw -y

🔑 Add Elastic APT Repository

Import the GPG key and repository:

curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/elastic-archive-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list sudo apt update

🧱 Install Elasticsearch

sudo apt install elasticsearch -y

Configure Elasticsearch

Edit /etc/elasticsearch/elasticsearch.yml:

cluster.name: elastic-stack node.name: node-1 network.host: 0.0.0.0 http.port: 9200 discovery.type: single-node

Enable and start the service:

sudo systemctl enable elasticsearch sudo systemctl start elasticsearch sudo systemctl status elasticsearch

Test Elasticsearch

curl -k https://localhost:9200 -u elastic

⚡ Install Logstash

Logstash processes logs and sends them to Elasticsearch.

sudo apt install logstash -y

Configure Logstash Pipeline

Create a configuration file:

sudo nano /etc/logstash/conf.d/01-logstash-input.conf

Example configuration:

input { beats { port => 5044 } } filter { grok { match => { "message" => "%{COMMONAPACHELOG}" } } } output { elasticsearch { hosts => ["https://localhost:9200"] index => "logs-%{+YYYY.MM.dd}" user => "elastic" password => "your_elastic_password" ssl => true cacert => "/etc/elasticsearch/certs/http_ca.crt" } }

💡 You can use the generated CA certificate from /etc/elasticsearch/certs/ (Elasticsearch 8.x automatically generates one).

Enable and start Logstash:

sudo systemctl enable logstash sudo systemctl start logstash sudo systemctl status logstash

🖥 Install Kibana

sudo apt install kibana -y

Configure Kibana

Edit /etc/kibana/kibana.yml:

server.port: 5601 server.host: "0.0.0.0" elasticsearch.hosts: ["https://localhost:9200"] elasticsearch.username: "kibana_system" elasticsearch.password: "your_kibana_password" server.publicBaseUrl: "https://your-domain.com"

Enable and start Kibana:

sudo systemctl enable kibana sudo systemctl start kibana

Access it via:

http://your-server-ip:5601

🌐 Secure with Nginx Reverse Proxy + HTTPS (Certbot)

Install Nginx and Certbot:

sudo apt install nginx certbot python3-certbot-nginx -y

Create proxy configuration:

sudo nano /etc/nginx/sites-available/kibana.conf

Add:

server { listen 80; server_name your-domain.com; location / { proxy_pass http://localhost:5601; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; } }

Enable and secure:

sudo ln -s /etc/nginx/sites-available/kibana.conf /etc/nginx/sites-enabled/ sudo nginx -t && sudo systemctl reload nginx sudo certbot --nginx -d your-domain.com

Now, Kibana will be accessible securely via:

https://your-domain.com

📊 Connect Beats (Optional)

To ship logs from other systems, install Filebeat:
```
sudo apt install filebeat -y
```
Configure /etc/filebeat/filebeat.yml:
```
output.logstash: hosts: ["your-vps-ip:5044"]
```
Then enable and start:
```
sudo systemctl enable filebeat sudo systemctl start filebeat
```
🧠 Verify Stack Connectivity

Check that all services are communicating:
```
sudo systemctl status elasticsearch
sudo systemctl status logstash
sudo systemctl status kibana
```
Then in Kibana:
- Visit Stack Management → Index Patterns
- Confirm indices like logs-* are appearing.
⚙️ Optional JVM Optimization

Edit heap size settings for performance:
```
sudo nano /etc/elasticsearch/jvm.options.d/custom.options
```
Add (50% of available RAM recommended):
```
-Xms2g -Xmx2g
```
Restart services:
```
sudo systemctl restart elasticsearch logstash kibana
```

🛡 Secure and Maintain

Use ufw to limit access to ports:

  sudo ufw allow 5601,9200,5044/tcp
sudo ufw enable

Regularly update:

  sudo apt update && sudo apt upgrade -y

Monitor logs:

  sudo journalctl -u elasticsearch -f
sudo journalctl -u logstash -f
sudo journalctl -u kibana -f

✅ Final Verification

Open:

https://your-domain.com

Elasticsearch cluster health = green
Logstash pipelines visible
Indices showing in Kibana → Discover

🎯 Summary

Component	Port	Function	Service
Elasticsearch	9200	Core search & data engine	`elasticsearch`
Logstash	5044	Data ingestion pipeline	`logstash`
Kibana	5601	Visualization UI	`kibana`

You now have a fully functional Elastic Stack running securely on your Ubuntu VPS — ideal for central log management, data analytics, and real-time search.