Installing the ELK Stack on Windows

how to install elk stack on windows

Windows? ELK? Well, while it would be safe to assume that most ELK Stack deployments are on Linux-based systems, there are certain use cases in which you would want to install the stack on a Windows machine.

If you’re looking to log Windows event logs, for example, and you do not want to ship the logs over the Web to an ELK server for security reasons, you’re going to want to deploy the stack locally.

This article will guide you through the necessary steps to install the ELK Stack’s components as Windows services. Note: This example will use Elasticsearch, 2.3.5, Logstash 2.3.4, and Kibana 4.5.4.

The setup

I’ll be using a Windows 2012 R2 instance on Amazon Web Services. The operating system is just a basic Server 2012 R2 installation — but with updates and a disabled firewall. I’ve also installed an Apache server for the purpose of demonstrating how to log into ELK.

Elasticsearch and Logstash require Java, so you will also need to download and install it — JDK and NOT JRE — and create a JAVA_HOME system variable as well.

Adding JAVA system variable

Installing Elasticsearch

Our first step is to install Elasticsearch — the heart of the stack, if you like, that is responsible for storing and indexing the log data.

You can download the latest version of Elasticsearch from Elastic’s Elasticsearch download page. Extract the downloaded package into a designated folder in your file system (e.g. c:\elk).

Next, open a Powershell prompt and enter the following command (be sure to enter your installation path in the command):

$ Invoke-Expression -command “c:\elk\elasticsearch\bin\service install”

You should get an output that looks as follows:

Installing service      :  "elasticsearch-service-x64"

Using JAVA_HOME (64-bit):  "C:\Program Files\Java\jdk1.8.0_1

The service 'elasticsearch-service-x64' has been installed.

Next, we’re going to open the service manager for the Elasticsearch service:

$ Invoke-Expression -command “c:\elk\elasticsearch\bin\service manager”

Service manager for Elasticsearch

This is where you customize settings for Elasticsearch. Memory for JVM, for example, can be configured on the Java tab, which is important for when you start to ingest large quantities of data.

On the General tab, we’re going to select the “Automatic” startup type and hit the “Start” button to start Elasticsearch. To make sure that all is running as expected, enter the following URL into your browser:

http://localhost:9200

You should get the following output:

{

 "name" : "Andrew Chord",

 "cluster_name" : "elasticsearch",

 "version" : {

   "number" : "2.3.5",

   "build_hash" : "90f439ff60a3c0f497f91663701e64ccd01edbb4",

   "build_timestamp" : "2016-07-27T10:36:52Z",

   "build_snapshot" : false,

   "lucene_version" : "5.5.0"

 },

 "tagline" : "You Know, for Search"

}

Installing Logstash

Next up is Logstash. Now, there are a number of ways to install Logstash on Windows, but it cannot be installed as a service out-of-the-box. So, I’ll be using a service manager called Non-Sucking Service Manager (NSSM), which I have downloaded and extracted into the folder that contains all of our installed ELK packages.

Now, download and extract Logstash from the Logstash download page to the same folder.

Before installing Logstash NSSM, create a Logstash configuration file called “config.json” and place it in the “bin” directory.

Next, enter the following command in Powershell (be sure to update the paths invoked):

$ Invoke-Expression -command “c:\elk\nssm\win64\nssm install Logstash”

You should see the NSSM dialog:

NSSM service installer for Logstash

For the application path, browse to and select the Logstash .bat file. The “Startup” directory field below is completed automatically. In the “Arguments” field, enter:

-f c:\elk\logstash\bin\config.json

There are other options you can configure such as tying the service to Elasticsearch, but for the purpose of this guide, these settings will suffice.

Click the “Install Service” button and a success message will be displayed. In Powershell, you will see the following message:

Service "Logstash" installed successfully!

Logstash service installed successfully message

Open Windows Task Manager and start the service from the “Services” tab.

Installing Kibana

As with Logstash, we will install Kibana as a Windows service using NSSM. Download and extract Kibana from the Kibana download page.

Use this command in Powershell to create the service:

$ Invoke-Expression -command “c:\elk\nssm\win64\nssm install Kibana”

In the NSSM dialog, complete the relevant paths to the Kibana files (there is no need to pass any arguments for Kibana) and click “Install service”:

Service "Kibana" installed successfully!

As with Logstash, start the service from your Task Manager — you should now have all three services up and running!

Service manager - up and running!

To verify, open your browser at this address: http://127.0.0.1:5601.

Kibana open in browser

Congrats! You’ve successfully installed the ELK Stack on your Windows server!

As you may notice — Kibana is notifying you that it could not fetch mapping. This is because you have not shipped any data yet. This is, of course, the next step. If you’re trying to set up a pipeline of Windows event logs into ELK, I described how to install and use Winlogbeat (a log shipper by Elastic for shipping event logs into ELK) in this additional guide to Windows event log analysis.

Want Even More Capabilities from your ELK Stack? Logz.io has you Covered!

Artboard Created with Sketch.

31 responses to “Installing the ELK Stack on Windows”

  1. Shankar Radhakrishnan says:

    @Daniel, Your blog post is timely. ELK on Windows is not as uncommon as it might seem. Teams and branch offices, even large organizations, use Windows as their primary OS and do not have Linux expertise. They deploy ELK on Windows. To help such users, we released Skedler on Windows to automate report generation for ELK stack on windows .

  2. Андрей Ковалёв says:

    …”Elasticsearch and Logstash require JavaScript, so you will also need to download and install it — JDK and NOT JRE — and create a JAVA_HOME system variable as well”…

    They requires java, not javascript. Please, correct an error.

    • Daniel Berman says:

      Thanks Jan. Will check it out!

      • Jan Vandepitte says:

        $Policy = “Unrestricted”
        If ((get-ExecutionPolicy) -ne $Policy) {
        Write-Host “Script Execution is disabled. Enabling it now”
        Set-ExecutionPolicy $Policy -Force
        Write-Host “Please Re-Run this script in a new powershell enviroment”
        Exit
        }
        if (Get-Command “choco” -errorAction SilentlyContinue)
        {
        “choco exists”
        }
        else
        {
        iex ((new-object net.webclient).DownloadString(‘https://chocolatey.org/install.ps1’))
        }
        if((Get-Childitem env:JAVA_HOME).Value -match ‘Java\jdk1.8.’)
        {
        Write-Output “We have Java Development Kit 8 installed”
        }
        else
        {
        choco install jdk8 -y
        Write-Output “Java Development Kit 8 was installed, you need to set JAVA_HOME variable”
        }

        choco install elasticsearch -y -Force
        choco install logstash -y -Force
        choco install kibana -y -Force

        $installdirElastic = Get-Command elasticsearch | Select-Object -ExpandProperty Definition
        $serviceElastic = $installdirElastic -replace “elasticsearch.bat$”, “service”
        Invoke-Expression -command “$serviceElastic install”

        $kibanaserviceToStart = Get-Service | Where-Object {$_.name -match “kibana” -and $_.Status -ne “Running”} | Select-Object -first 1
        $elasticserviceToStart = Get-Service | Where-Object {$_.name -match “elasticsearch” -and $_.Status -ne “Running”}| Select-Object -first 1

        if(![string]::IsNullOrEmpty($kibanaserviceToStart))
        {
        Start-Service $kibanaserviceToStart.’name’
        }
        if(![string]::IsNullOrEmpty($elasticserviceToStart))
        {
        Start-Service $elasticserviceToStart.’name’
        }

        explorer http://localhost:9200
        explorer http://localhost:5601

    • tmueller says:

      its a shame chocolatey only has version 2.x

  3. znatan says:

    service start fails…
    [2016-11-07 06:44:07] [error] [ 748] CreateJavaVM Failed
    [2016-11-07 06:44:07] [error] [ 748] The system could not find the environment option that was entered.
    [2016-11-07 06:44:07] [error] [ 3448] Failed to start Java
    [2016-11-07 06:44:07] [error] [ 3448] ServiceStart returned 4
    [2016-11-07 06:44:07] [info] [ 3236] Run service finished.
    [2016-11-07 06:44:07] [info] [ 3236] Commons Daemon procrun finished

    as well names of the files changed in Elasticsearch 5.0.0 package
    🙂 I forgot to mention of course that Java JDK is installed and added as variable … JAVA_HOME

  4. chrisjleu says:

    Seems to be binelasticsearch-service and not binservice – at least with version 5.1.1 of elasticsearch

  5. Mr Stoner says:

    Thank you !

  6. tmueller says:

    I am struck trying to start the service after I install version 5.2.0

    Here is what I get after trying to the start it.

    [2017-02-08 16:08:49] [info] [ 5060] Service ‘elasticsearch-service-x64’ installed
    [2017-02-08 16:08:49] [info] [ 5060] Commons Daemon procrun finished
    [2017-02-08 16:08:58] [info] [ 5984] Commons Daemon procrun (1.0.15.0 64-bit) started
    [2017-02-08 16:08:58] [info] [ 5984] Running ‘elasticsearch-service-x64’ Service…
    [2017-02-08 16:08:59] [info] [ 3732] Starting service…

    This is what I have for my Java_Home

    C:Program FilesJavajdk1.8.0_121

    Ideas why I can’t start the service?

  7. ppnimkar says:

    Excellent post! Thanks a lot

  8. Keith Sanks says:

    Trying to install the service manager I get the following error: “The specified service does not exist as an installed service. Unable to open the service ‘elastic-service-mgr'”. Please help, not sure what I’m doing wrong

  9. Budi Bong says:

    does anyone know if logstah config file can use windows environment variable ? Pls help, Thank you

  10. Daniel Holliday says:

    The first powershell line was incorrect for me. Instead of using “service” it should be “elasticsearch-service”.

  11. Yaronn says:

    Hello, I tried to install Kibana and Logstash as services with NSSM as you said in this tutorial. When I try to start them I have the following error (for both of them, just replace Kibana by Logstash in the first line) :

    “Windows could not start the Kibana service on Local Computer.
    The service did not return an error.
    This may be an internal windows error or an internal service error.
    If the problem persists contact your system administrator.”
    (It may be something really similare, the error message is in French so I had to translate it)

    I have the latest version for both of applications : 5.4.1 for Logstash and 5.4 for Kibana

    This is what I found in the Event Viewer of windows :

    “Launch successful C:SolutionElasticSearchAppslogstashbinlogstash.bat -f C:SolutionElasticSearchAppslogstashcmisOCR.conf for the Logstash service from the C:SolutionElasticSearchAppslogstashbin directory.”

    “The C:SolutionElasticSearchAppslogstashbinlogstash.bat program for the Logstash service stopped with return code 3221225794.”

    “Interrupt the 8016 process and its child processes for the Logstash service. Return Code = 3221225794”

    “Forced process termination with PID 8016 (child process of the process with PID 8016) result of stopping the Logstash service.”

    “The scheduled action for the Logstash service for the return code 3221225794 is: Restart. Attempting to restart C:SolutionElasticSearchAppslogstashbinlogstash.bat.”

    • Olivier M. says:

      Same problem here :/

      • Yaronn says:

        I found a solution : https://msdn.microsoft.com/en-us/magazine/mt703436.aspx

        If you now a bit of Powershell it will be done in 5 min, else it’s not that hard to install, you just have to read the tutorial.

        Here an example : just put this line in the main function where it is said to write your “service” (here for filebeat ) : cmd.exe /c “path/to/filebeat/filebeat.bat -e -c ../../path/to/filebeat/filebeat.yml”

        I did this for Kibana, Logstash and Filebeat (because the install-Filebeat-service didn’t worked for me…), and it works really well !

  12. Tom Atwood says:

    Great article. Any thoughts to having an article of how to properly secure the ELK stack in Windows (i.e. setup for forced HTTPS, etc.)?

  13. Paul says:

    Hello,
    i already follow the procedure for the ELK installation but i am having the error below when running the elasticsearch. and elasticsesarch, logstash and kibana servies are not running even i start it.

    PS C:UsersAdministrator> Invoke-Expression -command “C:ELK-Stackelasticsearchbinservice install”
    Installing service : “elasticsearch-service-x64”
    Using JAVA_HOME (64-bit): “C:Program FilesJavajdk1.8.0_92”
    Failed installing ‘elasticsearch-service-x64’ service

    THANKS!

Leave a Reply

Your email address will not be published. Required fields are marked *

×

Turn machine data into actionable insights with ELK as a Service

By submitting this form, you are accepting our Terms of Use and our Privacy Policy

×

DevOps News and Tips to your inbox

We write about DevOps. Log Analytics, Elasticsearch and much more!

By submitting this form, you are accepting our Terms of Use and our Privacy Policy