ELK Stack
Centralize, search, and visualize logs with Elasticsearch, Logstash, and Kibana.
Theory
The ELK Stack centralizes logs so you can search across all your systems in one place. Its components:
- Elasticsearch — a distributed search/analytics engine that stores and indexes logs
- Logstash — ingests, parses, and transforms logs (often replaced by lightweight Beats/Fluent Bit shippers)
- Kibana — the UI to search, filter, and visualize
The flow: shippers collect logs → parse into structured fields → index in
Elasticsearch → explore in Kibana. Structured (JSON) logs make fields searchable
(e.g. status:500 AND service:api), which is the whole point of centralization.
graph LR APP["Apps (stdout)"] --> SHIP["Beats / Fluent Bit"] SHIP --> LS["Logstash (parse)"] LS --> ES["Elasticsearch (index)"] ES --> KB["Kibana (search/visualize)"]
Hands-On Exercise
- Name each ELK component and its responsibility.
- Explain why structured (JSON) logging matters for search.
- Write a Kibana-style query to find 500 errors for one service.
- What role do Beats/Fluent Bit play versus Logstash?
Cheat Sheet▾
| Component | Role |
|---|---|
| Elasticsearch | Store + index logs |
| Logstash | Parse/transform logs |
| Kibana | Search + visualize |
| Beats / Fluent Bit | Lightweight shippers |
| Index | Searchable log store |
| Structured logs | JSON fields, queryable |
Common Interview Questions▾
What does each part of the ELK stack do?
Elasticsearch stores and indexes logs, Logstash (or Beats/Fluent Bit) ingests and parses them, and Kibana provides search and visualization over the indexed data.
Why are structured logs important for centralized logging?
JSON fields are indexed and directly queryable (e.g. status:500 AND service:api), enabling fast, precise search — unlike unstructured text that needs fragile parsing.
Official Documentation
📝 My notes on this topic
Auto-saves as you type