Elastic Stack (ELK): 30-Minute Tutorial

ELK in 30 minutes: enough to start indexing; not yet enough for production retention strategy.

Step 1: Run ES + Kibana

docker compose up with the official Elastic compose file.

Wait 60s; Kibana on 5601.

Step 2: Ship logs

• Install Filebeat; configure to read /var/log/syslog.
• Start Filebeat; ES receives entries.

Step 3: Index template

Kibana → Stack Management → Index Templates.

Define mappings for your log fields; ES applies on indexing.

Step 4: Search

Kibana → Discover → search by field, by free text.

Visualize: bar chart of error count over time.

Antipatterns

• No index lifecycle policy. Disk fills; ES dies.
• Default replicas=1 with 1 node. No HA.
• Free-text search instead of structured. Slow at scale.

What to do this week

Three moves. (1) Run the tutorial end-to-end on your own laptop / sandbox. (2) Apply the pattern to one production workload. (3) Document the variations you needed; share with the team.