Quick start: Get logs and metrics into the Elastic Stackedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

This guide describes how to use the ingest management capabilities in the Elastic Stack to:

  • Collect logs and metrics from systems and services across your organization
  • Send the data to the Elastic Stack
  • Explore and visualize the data in real-time

For feedback and questions, please contact us in the discuss forum.

Prerequisitesedit

Before you begin, please read Limitations of this release.

You need Elasticsearch for storing and searching your data, and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud (recommended), or self-manage the Elastic Stack on your own hardware.

Here’s what you need for each deployment type:

Step 1: Add integrationsedit

Ingest Manager provides integrations that bundle various assets needed to ingest and visualize data.

In this guide, we assume that you have nginx running on some of your infrastructure, and want to collect logs and metrics from it. To do so:

  1. Log in to Kibana and go to Management > Ingest Manager.

    Ingest Manager in Kibana
  2. In Ingest Manager, click the Integrations tab and use the search bar to find the Nginx integration.

    Ingest Manager showing Nginx integration
  3. Click the Nginx integration to see more details about it, and then click Add Nginx.

    Ingest Manager showing Nginx integration overview
  4. On the Add Nginx integration page, click the default agent configuration to select it, then scroll down to inspect or change the default settings.
  5. If your logs are not in the default location, click the down arrow next to enabled streams and change the Paths field.
  6. When you’re done, click Save integration.

    Ingest Manager Add data source screen
  7. To verify that the integration is installed, click the Integrations tab and then click Installed Integrations.

    The Nginx integration has been installed and should show up in this list. Note that the System and Elastic Endpoint Security integrations are installed by default.

    Ingest Manager showing installed integrations
  8. Select the Configurations tab, and in the list of agent configurations, click Default config.

    The newly added Nginx integration should appear under Integrations. Note that the system-1 integration has been created by default.

    Ingest Manager showing default agent configuration with nginx-1 datasource

Step 3: Install and run Elastic Agentedit

Elastic Agent is a single, unified agent that you can deploy to hosts or containers to collect data and send it to the Elastic Stack. Behind the scenes, Elastic Agent runs the Beats shippers or Elastic Endpoint required for your configuration.

To download and install Elastic Agent, use the commands that work with your system:

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.9.2-amd64.deb
sudo dpkg -i elastic-agent-7.9.2-amd64.deb

See the download page for other installation options.

After the download is complete, decide which mode you want to run in: Fleet or standalone. What’s the difference?

  • With Fleet mode, you use Ingest Manager in Kibana to define and manage Elastic Agent configurations from a central location.
  • With standalone mode, you configure Elastic Agent manually on the system where the agent is installed.

Fleet modeedit

To use Fleet to configure Elastic Agent:

  1. In Ingest Manager, click Settings and change the defaults, if necessary. For self-managed installations, set the URLs for Elasticsearch and Kibana, including the http ports, then save your changes.

    Ingest Manager settings
  2. Enable Fleet. Click the Fleet tab and click Create user and enable Fleet.

    Ingest Manager showing prompt to enable Fleet
  3. On the Fleet tab, click Add agent and complete the steps under Enroll with Fleet. Skip the first step because you downloaded Elastic Agent earlier.
  4. Select an agent configuration (or accept the default).
  5. Copy the command for enrolling the agent.

    The copied command contains your Kibana URL and an enrollment key that was generated by Ingest Manager.

    Ingest Manager showing agent enrollment dialog
  6. In the directory where Elastic Agent is installed, run the command you copied. Note that this command will overwrite the elastic-agent.yml file in that directory.

    We recommend that you run this command as the root user because some integrations require root privileges to collect sensitive data.

    elastic-agent enroll KIBANA_URL ENROLLMENT_KEY

    Where KIBANA_URL is the Kibana URL where Fleet is running, and ENROLLMENT_KEY is the enrollment token acquired from Fleet.

  7. Run Elastic Agent:

    The DEB package includes a service unit for Linux systems with systemd. On these systems, you can manage Elastic Agent by using the usual systemd commands:

    systemctl enable elastic-agent
    systemctl start elastic-agent

    Otherwise, use:

    sudo service elastic-agent start

    Elastic Agent will restart automatically if the system is rebooted.

  8. In Ingest Manager, click Continue to go to the Fleet tab, where you should see the newly enrolled agent.

    Ingest Manager showing enrolled agents

If you run into problems, see Troubleshoot common problems.

To unenroll an agent, see Unenroll Elastic Agent.

Standalone mode (manual configuration)edit

To configure Elastic Agent manually:

  1. On the Fleet tab, click Add agent and complete the steps under Standalone mode. Skip the first step because you downloaded Elastic Agent earlier.
  2. Select an agent configuration (or accept the default).
  3. Copy the content of the agent configuration and put it into a file named elastic-agent.yml on the system where Elastic Agent is installed.

    Ingest Manager showing default agent configuration in YAML format

    The configuration file generated by Ingest Manager already contains the correct Elasticsearch address and port for your setup. If you run everything locally, the address is 127.0.0.1:9200. If you use our hosted Elasticsearch Service on Elastic Cloud, the address corresponds to the Elasticsearch endpoint URL that is listed under Endpoints as described in Work with Elasticsearch.

  4. Change the Elasticsearch username and password in the outputs section of the configuration file:

    [...]
    outputs:
      default:
        type: elasticsearch
        hosts:
          - 'HOST:PORT'
        username: ES_USERNAME
        password: ES_PASSWORD
    datasources:
    [...]
  5. Run Elastic Agent:

    The DEB package includes a service unit for Linux systems with systemd. On these systems, you can manage Elastic Agent by using the usual systemd commands:

    systemctl enable elastic-agent
    systemctl start elastic-agent

    Otherwise, use:

    sudo service elastic-agent start

    Elastic Agent will restart automatically if the system is rebooted.

Step 4: View your dataedit

In Ingest Manager, click the Datasets tab to inspect the data that is sent by Elastic Agent. From the Actions column, you can navigate to the dashboards corresponding to the data type that is sent.

Ingest Manager showing data streams list

What’s next?edit

Now that you have your logs streaming into Elasticsearch, learn how to unify your logs, metrics, uptime, and application performance data by using Elastic Observability.