get-started-elastic-stack.html

<!DOCTYPE html>
<html lang="en-us">
  <head>
    
<meta charset="UTF-8">
<title>Getting started with the Elastic Stack | Getting Started [7.4] | Elastic</title>
<meta class="elastic" name="content" content="Getting started with the Elastic Stack | Getting Started [7.4]">

<link rel="home" href="index.html" title="Getting Started [7.4]"/>
<link rel="up" href="index.html" title="Getting Started [7.4]"/>
<link rel="prev" href="index.html" title="Getting Started [7.4]"/>
<link rel="next" href="get-started-docker.html" title="Running the Elastic Stack on Docker"/>
<meta class="elastic" name="product_version" content="7.4"/>
<meta class="elastic" name="product_name" content="Elastic Stack"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Elastic Stack/Getting started/7.4"/>
<meta name="DC.subject" content="Elastic Stack"/>
<meta name="DC.identifier" content="7.4"/>
<meta name="robots" content="noindex,nofollow"/>

    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
    <meta name="yandex-verification" content="d8a47e95d0972434" />
    <meta name="localized" content="true" />
    <meta name="st:robots" content="follow,index" />
    <meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
    <meta property="og:image:width" content="500" />
    <meta property="og:image:height" content="172" />
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles-v1.css" />
  </head>

  <!--© 2015-2025 Elasticsearch B.V. -->
  <!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
  <!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!-- Google Tag Manager for GA4 -->
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
    <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <!-- End Google Tag Manager for GA4-->

    <div id='elastic-nav' style="display:none;"></div>
    <script src='https://www.elastic.co/elastic-nav.js'></script>

    <div class="main-container">
      <section id="content" >
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container-fluid">
              <div class="row pb-3">
                <div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
                  <!-- The TOC is appended here -->
                </div>

                <div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
                  <!-- start body -->
                  
<div class="page_header">
<p>
  <strong>IMPORTANT</strong>: Version 7.4 of the Elastic Stack has passed its 
  <a href="https://www.elastic.co/support/eol">maintenance date</a>. 
</p>  
<p>
  This documentation is no longer being updated. 
  For the latest information, see the 
  <a href="../current/index.html">current release documentation</a>. 
</p>
</div>
<div class="navheader">
<span class="prev">
</span>
<span class="next">
<a href="get-started-docker.html">Running the Elastic Stack on Docker »</a>
</span>
</div>
<div class="book" lang="en">
<div class="titlepage">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Getting Started [7.4]</a></span>
</div>
<div>
<div><h1 class="title"><a id="id-1"></a>Getting started with the Elastic Stack</h1><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
</div>
<!--EXTRA-->
</div>
<div id="content">
<div id="url-to-v3" class="version-warning">
    <strong>IMPORTANT</strong>: This documentation is no longer updated. Refer to <a href="https://www.elastic.co/support/eol">Elastic's version policy</a> and the <a href="https://www.elastic.co/docs">latest documentation</a>.
</div>
<div class="chapter">
<div class="titlepage"><div><div>
<div class="position-relative"><h2 class="title"><a id="get-started-elastic-stack"></a>Getting started with the Elastic Stack</h2><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
</div></div></div>
<p>Looking for an Elastic Stack ("ELK") guide that shows how to set up the Elastic Stack and
get up and running quickly? You&#8217;re on the right place! First you install the
core products:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a class="xref" href="get-started-elastic-stack.html#install-elasticsearch" title="Install Elasticsearch">Elasticsearch</a>
</li>
<li class="listitem">
<a class="xref" href="get-started-elastic-stack.html#install-kibana" title="Install Kibana">Kibana</a>
</li>
<li class="listitem">
<a class="xref" href="get-started-elastic-stack.html#install-beats" title="Install Beats">Beats</a>
</li>
<li class="listitem">
<a class="xref" href="get-started-elastic-stack.html#install-logstash" title="Install Logstash (optional)">Logstash (optional)</a>
</li>
</ul>
</div>
<p>Then you learn how to implement a system monitoring solution that uses
Metricbeat to collect server metrics and ship the data to Elasticsearch, where you can
search and visualize the data by using Kibana. After you get the basic setup
working, you add Logstash for additional parsing.</p>
<p>To get started, you can install the Elastic Stack on a single VM or even on your
laptop.</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<p>Implementing security is a critical step in setting up the Elastic Stack.
To get up and running quickly with a sample installation, you skip those steps
right now. Before sending sensitive data across the network, make sure you
<a href="/guide/en/elasticsearch/reference/7.4/elasticsearch-security.html" class="ulink" target="_top">secure the Elastic Stack</a> and enable
<a href="/guide/en/elasticsearch/reference/7.4/encrypting-communications.html" class="ulink" target="_top">encrypted communications</a>.</p>
</div>
</div>
<div class="position-relative"><h3><a id="install-prereqs"></a>Before you begin</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
See the <a href="/support/matrix" class="ulink" target="_top">Elastic Support
Matrix</a> for information about supported operating systems and product
compatibility.
</li>
<li class="listitem">
Verify that your system meets the
<a href="/support/matrix#matrix_jvm" class="ulink" target="_top">minimum JVM requirements</a> for
Logstash and Elasticsearch.
</li>
</ul>
</div>
<div class="position-relative"><h3><a id="install-elasticsearch"></a>Install Elasticsearch</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p><a href="/products/elasticsearch" class="ulink" target="_top">Elasticsearch</a> is a real-time,
distributed storage, search, and analytics engine. It can be used for many
purposes, but one context where it excels is indexing streams of semi-structured
data, such as logs or decoded network packets.</p>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>You can run Elasticsearch on your own hardware, or use our
<a href="/cloud/elasticsearch-service" class="ulink" target="_top">hosted Elasticsearch Service</a>
on Elastic Cloud. The Elasticsearch Service is available on both AWS and GCP.
<a href="https://cloud.elastic.co/registration?page=docs&amp;placement=docs-body" class="ulink" target="_top">Try out the
Elasticsearch Service for free</a>.</p>
</div>
</div>
<p>To download and install Elasticsearch, open a terminal window and use the commands that
work with your system (<a class="xref" href="get-started-elastic-stack.html#deb">deb</a> for Debian/Ubuntu, <a class="xref" href="get-started-elastic-stack.html#rpm">rpm</a> for
Redhat/Centos/Fedora, <a class="xref" href="get-started-elastic-stack.html#mac">mac</a> or <a class="xref" href="get-started-elastic-stack.html#brew">brew</a> for OS X, <a class="xref" href="get-started-elastic-stack.html#linux">linux</a>
for Linux, and <a class="xref" href="get-started-elastic-stack.html#win">win</a> for Windows):</p>
<p><a id="deb"></a><span class="strong strong"><strong>deb:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-amd64.deb
sudo dpkg -i elasticsearch-7.4.2-amd64.deb
sudo /etc/init.d/elasticsearch start</pre>
</div>
<p><a id="rpm"></a><span class="strong strong"><strong>rpm:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-x86_64.rpm
sudo rpm -i elasticsearch-7.4.2-x86_64.rpm
sudo service elasticsearch start</pre>
</div>
<p><a id="mac"></a><span class="strong strong"><strong>mac:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-darwin-x86_64.tar.gz
tar -xzvf elasticsearch-7.4.2-darwin-x86_64.tar.gz
cd elasticsearch-7.4.2
./bin/elasticsearch</pre>
</div>
<p><a id="brew"></a><span class="strong strong"><strong>brew:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">brew tap elastic/tap
brew install elastic/tap/elasticsearch-full
elasticsearch</pre>
</div>
<p><a id="linux"></a><span class="strong strong"><strong>linux:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-linux-x86_64.tar.gz
tar -xzvf elasticsearch-7.4.2-linux-x86_64.tar.gz
cd elasticsearch-7.4.2
./bin/elasticsearch</pre>
</div>
<p><a id="win"></a><span class="strong strong"><strong>win:</strong></span></p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Download the Elasticsearch 7.4.2 Windows zip file from the
<a href="/downloads/elasticsearch" class="ulink" target="_top">Elasticsearch download</a> page.
</li>
<li class="listitem">
Extract the contents of the zip file to a directory on your computer, for
example, <code class="literal">C:\Program Files</code>.
</li>
<li class="listitem">
<p>Open a command prompt as an Administrator and navigate to the directory that
contains the extracted files, for example:</p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">cd C:\Program Files\elasticsearch-7.4.2</pre>
</div>
</li>
<li class="listitem">
<p>Start Elasticsearch:</p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">bin\elasticsearch.bat</pre>
</div>
</li>
</ol>
</div>
<p>For other operating systems, go to the
<a href="/downloads/elasticsearch" class="ulink" target="_top">Elasticsearch download</a> page.</p>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>The default <a href="/guide/en/elasticsearch/reference/7.4/cluster.name.html" class="ulink" target="_top">cluster.name</a> and
<a href="/guide/en/elasticsearch/reference/7.4/node.name.html" class="ulink" target="_top">node.name</a> are <code class="literal">elasticsearch</code> and your hostname,
respectively. If you plan to keep using this cluster or add more nodes, it is a
good idea to change these default values to unique names. For details about
changing these and other settings in the <code class="literal">elasticsearch.yml</code> file, see
<a href="/guide/en/elasticsearch/reference/7.4/settings.html" class="ulink" target="_top">Configuring Elasticsearch</a>.</p>
</div>
</div>
<p>To learn more about installing, configuring, and running Elasticsearch, read the
<a href="/guide/en/elasticsearch/reference/current/index.html" class="ulink" target="_top">Elasticsearch Reference</a>.</p>
<div class="position-relative"><h4><a id="_make_sure_elasticsearch_is_up_and_running"></a>Make sure Elasticsearch is up and running</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>To test that the Elasticsearch daemon is up and running, try sending an HTTP GET
request on port 9200.</p>
<div class="pre_wrapper lang-shell">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-shell">curl http://127.0.0.1:9200</pre>
</div>
<p>On Windows, if you don&#8217;t have cURL installed, point your browser to the URL.</p>
<p>You should see a response similar to this:</p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">{
  "name" : "QtI5dUu",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "DMXhqzzjTGqEtDlkaMOzlA",
  "version" : {
    "number" : "7.4.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "00d8bc1",
    "build_date" : "2018-06-06T16:48:02.249996Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}</pre>
</div>
<div class="position-relative"><h3><a id="install-kibana"></a>Install Kibana</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p><a href="/products/kibana" class="ulink" target="_top">Kibana</a> is an open source analytics and
visualization platform designed to work with Elasticsearch. You use Kibana to search,
view, and interact with data stored in Elasticsearch indices. You can easily perform
advanced data analysis and visualize your data in a variety of charts, tables,
and maps.</p>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you are running our hosted Elasticsearch Service on <a href="/cloud" class="ulink" target="_top">Elastic Cloud</a>,
then <a href="/guide/en/cloud/current/ec-enable-kibana.html" class="ulink" target="_top">Kibana can be enabled</a> with the flick of a switch.</p>
</div>
</div>
<p>We recommend that you install Kibana on the same server as Elasticsearch,
but it is not required. If you install the products on different servers, you&#8217;ll
need to change the URL (IP:PORT) of the Elasticsearch server in the Kibana configuration
file, <code class="literal">kibana.yml</code>, before starting Kibana.</p>
<p>To download and install Kibana, open a terminal window and use the commands that
work with your system:</p>
<p><span class="strong strong"><strong>deb, rpm, or linux:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/kibana/kibana-7.4.2-linux-x86_64.tar.gz
tar xzvf kibana-7.4.2-linux-x86_64.tar.gz
cd kibana-7.4.2-linux-x86_64/
./bin/kibana</pre>
</div>
<p><span class="strong strong"><strong>mac:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/kibana/kibana-7.4.2-darwin-x86_64.tar.gz
tar xzvf kibana-7.4.2-darwin-x86_64.tar.gz
cd kibana-7.4.2-darwin-x86_64/
./bin/kibana</pre>
</div>
<p><span class="strong strong"><strong>brew:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">brew tap elastic/tap
brew install elastic/tap/kibana-full
kibana</pre>
</div>
<p><span class="strong strong"><strong>win:</strong></span></p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Download the Kibana 7.4.2 Windows zip file from the
<a href="/downloads/kibana" class="ulink" target="_top">Kibana download</a> page.
</li>
<li class="listitem">
Extract the contents of the zip file to a directory on your computer, for
example, <code class="literal">C:\Program Files</code>.
</li>
<li class="listitem">
<p>Open a command prompt as an Administrator and navigate to the directory that
contains the extracted files, for example:</p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">cd C:\Program Files\kibana-7.4.2-windows</pre>
</div>
</li>
<li class="listitem">
<p>Start Kibana:</p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">bin\kibana.bat</pre>
</div>
</li>
</ol>
</div>
<p>For other operating systems, go to the
<a href="/downloads/kibana" class="ulink" target="_top">Kibana download</a> page.</p>
<p>To learn more about installing, configuring, and running Kibana, read the
<a href="/guide/en/kibana/current/index.html" class="ulink" target="_top">Kibana Reference</a>.</p>
<div class="position-relative"><h4><a id="_launch_the_kibana_web_interface"></a>Launch the Kibana web interface</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>To launch the Kibana web interface, point your browser to port 5601. For example,
<a href="http://127.0.0.1:5601" class="ulink" target="_top">http://127.0.0.1:5601</a>.</p>
<div class="position-relative"><h3><a id="install-beats"></a>Install Beats</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>The Beats are open source data shippers that you install as agents on your
servers to send operational data to Elasticsearch. Beats can send data directly to Elasticsearch
or via Logstash, where you can further process and enhance the data.</p>
<p>Each Beat is a separately installable product. In this guide, you learn how
to install and run Metricbeat with the <code class="literal">system</code> module enabled to collect system
metrics.</p>
<p>To learn more about installing and configuring other Beats, see the Getting
Started documentation:</p>
<div class="informaltable">
<table border="1" cellpadding="4px">
<colgroup>
<col class="col_1"/>
<col class="col_2"/>
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Elastic Beats</th>
<th align="left" valign="top">To capture</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p><a href="/guide/en/beats/auditbeat/7.4/auditbeat-getting-started.html" class="ulink" target="_top">Auditbeat</a></p></td>
<td align="left" valign="top"><p>Audit data</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><a href="/guide/en/beats/filebeat/7.4/filebeat-getting-started.html" class="ulink" target="_top">Filebeat</a></p></td>
<td align="left" valign="top"><p>Log files</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><a href="/guide/en/beats/functionbeat/7.4/functionbeat-getting-started.html" class="ulink" target="_top">Functionbeat</a></p></td>
<td align="left" valign="top"><p>Cloud data</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><a href="/guide/en/beats/heartbeat/7.4/heartbeat-getting-started.html" class="ulink" target="_top">Heartbeat</a></p></td>
<td align="left" valign="top"><p>Availability monitoring</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><a href="/guide/en/beats/journalbeat/7.4/journalbeat-getting-started.html" class="ulink" target="_top">Journalbeat</a></p></td>
<td align="left" valign="top"><p>Systemd journals</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><a href="/guide/en/beats/metricbeat/7.4/metricbeat-getting-started.html" class="ulink" target="_top">Metricbeat</a></p></td>
<td align="left" valign="top"><p>Metrics</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><a href="/guide/en/beats/packetbeat/7.4/packetbeat-getting-started.html" class="ulink" target="_top">Packetbeat</a></p></td>
<td align="left" valign="top"><p>Network traffic</p></td>
</tr>
<tr>
<td align="left" valign="top"><p><a href="/guide/en/beats/winlogbeat/7.4/winlogbeat-getting-started.html" class="ulink" target="_top">Winlogbeat</a></p></td>
<td align="left" valign="top"><p>Windows event logs</p></td>
</tr>
</tbody>
</table>
</div>
<div class="position-relative"><h4><a id="install-metricbeat"></a>Install Metricbeat</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>To download and install Metricbeat, open a terminal window and use the commands
that work with your system:</p>
<p><span class="strong strong"><strong>deb:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.4.2-amd64.deb
sudo dpkg -i metricbeat-7.4.2-amd64.deb</pre>
</div>
<p><span class="strong strong"><strong>rpm:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.4.2-x86_64.rpm
sudo rpm -vi metricbeat-7.4.2-x86_64.rpm</pre>
</div>
<p><span class="strong strong"><strong>mac:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.4.2-darwin-x86_64.tar.gz
tar xzvf metricbeat-7.4.2-darwin-x86_64.tar.gz</pre>
</div>
<p><span class="strong strong"><strong>brew:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">brew tap elastic/tap
brew install elastic/tap/metricbeat-full</pre>
</div>
<p><span class="strong strong"><strong>linux:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.4.2-linux-x86_64.tar.gz
tar xzvf metricbeat-7.4.2-linux-x86_64.tar.gz</pre>
</div>
<p><span class="strong strong"><strong>win:</strong></span></p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Download the Metricbeat Windows zip file from the
<a href="/downloads/beats/metricbeat" class="ulink" target="_top">Metricbeat download</a> page.
</li>
<li class="listitem">
Extract the contents of the zip file into <code class="literal">C:\Program Files</code>.
</li>
<li class="listitem">
Rename the <code class="literal">metricbeat-7.4.2-windows</code> directory to <code class="literal">Metricbeat</code>.
</li>
<li class="listitem">
Open a PowerShell prompt as an Administrator (right-click the PowerShell icon
and select <span class="strong strong"><strong>Run As Administrator</strong></span>).
</li>
<li class="listitem">
<p>From the PowerShell prompt, run the following commands to install Metricbeat
as a Windows service:</p>
<div class="pre_wrapper lang-shell">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-shell">PS &gt; cd 'C:\Program Files\Metricbeat'
PS C:\Program Files\Metricbeat&gt; .\install-service-metricbeat.ps1</pre>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If script execution is disabled on your system, set the execution policy
for the current session to allow the script to run. For example: <code class="literal">PowerShell.exe
-ExecutionPolicy UnRestricted -File .\install-service-metricbeat.ps1</code>.</p>
</div>
</div>
</li>
</ol>
</div>
<p>For other operating systems, go to the
<a href="/downloads/beats" class="ulink" target="_top">Beats download</a> page.</p>
<div class="position-relative"><h4><a id="ship-system-logs"></a>Ship system metrics to Elasticsearch</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>Metricbeat provides pre-built modules that you can use to rapidly implement
and deploy a system monitoring solution, complete with sample dashboards and
data visualizations, in about 5 minutes.</p>
<p>In this section, you learn how to run the <code class="literal">system</code> module to collect metrics
from the operating system and services running on your server. The system module
collects system-level metrics, such as CPU usage, memory, file system, disk IO,
and network IO statistics, as well as top-like statistics for every process
running on your system.</p>
<p><span class="strong strong"><strong>Before you begin</strong></span>: Verify that Elasticsearch and Kibana are running and that Elasticsearch is
ready to receive data from Metricbeat.</p>
<p>To set up the <code class="literal">system</code> module and start collecting system metrics:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>From the Metricbeat install directory, enable the <code class="literal">system</code> module:</p>
<p><span class="strong strong"><strong>deb and rpm:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">sudo metricbeat modules enable system</pre>
</div>
<p><span class="strong strong"><strong>mac and linux:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">./metricbeat modules enable system</pre>
</div>
<p><span class="strong strong"><strong>brew:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">metricbeat modules enable system</pre>
</div>
<p><span class="strong strong"><strong>win:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">PS C:\Program Files\Metricbeat&gt; .\metricbeat.exe modules enable system</pre>
</div>
</li>
<li class="listitem">
<p>Set up the initial environment:</p>
<p><span class="strong strong"><strong>deb and rpm:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">sudo metricbeat setup -e</pre>
</div>
<p><span class="strong strong"><strong>mac and linux:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">./metricbeat setup -e</pre>
</div>
<p><span class="strong strong"><strong>brew:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">metricbeat setup -e</pre>
</div>
<p><span class="strong strong"><strong>win:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">PS C:\Program Files\Metricbeat&gt; metricbeat.exe setup -e</pre>
</div>
<p>The <code class="literal">setup</code> command loads the Kibana dashboards. If the dashboards are already
set up, omit this command. The <code class="literal">-e</code> flag is optional and sends output to
standard error instead of syslog.</p>
</li>
<li class="listitem">
<p><a id="gs-start-metricbeat"></a>Start Metricbeat:</p>
<p><span class="strong strong"><strong>deb and rpm:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">sudo service metricbeat start</pre>
</div>
<p><span class="strong strong"><strong>mac and linux:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">./metricbeat -e</pre>
</div>
<p><span class="strong strong"><strong>brew:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">metricbeat -e</pre>
</div>
<p><span class="strong strong"><strong>win:</strong></span></p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">PS C:\Program Files\Metricbeat&gt; Start-Service metricbeat</pre>
</div>
</li>
</ol>
</div>
<p>Metricbeat runs and starts sending system metrics to Elasticsearch.</p>
<div class="position-relative"><h4><a id="visualize-system-metrics"></a>Visualize system metrics in Kibana</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>To visualize system metrics, open your browser and navigate to the Metricbeat
system overview dashboard: <a href="http://localhost:5601/app/kibana#/dashboard/Metricbeat-system-overview-ecs" class="ulink" target="_top">http://localhost:5601/app/kibana#/dashboard/Metricbeat-system-overview-ecs</a></p>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you don’t see data in Kibana, try changing the date range to a larger
range. By default, Kibana shows the last 15 minutes. If you see errors, make
sure Metricbeat is running, then refresh the page.</p>
</div>
</div>
<div class="imageblock screenshot">
<div class="content">
<img src="images/metricbeat-system-overview.png" alt="Metricbeat system overview">
</div>
</div>
<p>Click <span class="strong strong"><strong>Host Overview</strong></span> to see detailed metrics about the selected host.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/metricbeat-system-host-details.png" alt="Metricbeat host overview">
</div>
</div>
<p>Now that you know how to set up the simplest architecture for the Elastic Stack&#8212;&#8203;one
or more Beats sending event data directly to an Elasticsearch instance running on the
same server&#8212;&#8203;let&#8217;s add Logstash.</p>
<div class="position-relative"><h3><a id="install-logstash"></a>Install Logstash (optional)</h3><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p><a href="/products/logstash" class="ulink" target="_top">Logstash</a> is a powerful tool that
integrates with a wide variety of deployments. It offers a large selection of
plugins to help you parse, enrich, transform, and buffer data from a variety of
sources. If your data requires additional processing that is not available in
Beats, then you need to add Logstash to your deployment.</p>
<p>To download and install Logstash, open a terminal window and use the commands that
work with your system:</p>
<p><span class="strong strong"><strong>deb:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/logstash/logstash-7.4.2.deb
sudo dpkg -i logstash-7.4.2.deb</pre>
</div>
<p><span class="strong strong"><strong>rpm:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/logstash/logstash-7.4.2.rpm
sudo rpm -i logstash-7.4.2.rpm</pre>
</div>
<p><span class="strong strong"><strong>mac and linux:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">curl -L -O https://artifacts.elastic.co/downloads/logstash/logstash-7.4.2.tar.gz
tar -xzvf logstash-7.4.2.tar.gz</pre>
</div>
<p><span class="strong strong"><strong>brew:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">brew tap elastic/tap
brew install elastic/tap/logstash-full</pre>
</div>
<p><span class="strong strong"><strong>win:</strong></span></p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Download the Logstash 7.4.2 Windows zip file from the
<a href="/downloads/logstash" class="ulink" target="_top">Logstash download</a> page.
</li>
<li class="listitem">
Extract the contents of the zip file to a directory on your computer, for
example, <code class="literal">C:\Program Files</code>. Use a short path (fewer than 30 characters) to
avoid running into file path length limitations on Windows.
</li>
</ol>
</div>
<p>For other operating systems, go to the
<a href="/downloads/logstash" class="ulink" target="_top">Logstash download</a> page.</p>
<p>To learn more about installing, configuring, and running Logstash, read the
<a href="/guide/en/logstash/7.4/index.html" class="ulink" target="_top">Logstash Reference</a>.</p>
<div class="position-relative"><h4><a id="logstash-setup"></a>Configure Logstash to listen for Beats input</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>Logstash provides <a href="/guide/en/logstash/7.4/input-plugins.html" class="ulink" target="_top">input plugins</a> for reading from
a variety of inputs. In this guide, you create a Logstash pipeline configuration
that listens for Beats input and sends the received events to the Elasticsearch output.</p>
<p>To configure Logstash:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Create a new Logstash pipeline configuration file called <code class="literal">demo-metrics-pipeline.conf</code>.
If you installed Logstash as a deb or rpm package, create the file in the Logstash
<code class="literal">config</code> directory. The file must contain:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
An input stage that configures Logstash to listen on port 5044 for incoming Beats
connections.
</li>
<li class="listitem">
An output stage that indexes events into Elasticsearch. The output stage also
configures Logstash to write to the Metricbeat index.
</li>
</ul>
</div>
<p>For example:</p>
<div class="pre_wrapper lang-ruby">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-ruby">input {
  beats {
    port =&gt; 5044
  }
}

# The filter part of this file is commented out to indicate that it
# is optional.
# filter {
#
# }

output {
  elasticsearch {
    hosts =&gt; "localhost:9200"
    manage_template =&gt; false
    index =&gt; "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}</pre>
</div>
<p>When you start Logstash with this pipeline configuration, Beats events are routed
through Logstash, where you have full access to Logstash capabilities for collecting,
enriching, and transforming data.</p>
</li>
</ol>
</div>
<div class="position-relative"><h4><a id="gs-start-logstash"></a>Start Logstash</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>Use the command that works with your system. If you installed Logstash as a deb or
rpm package, make sure the config file is in the <code class="literal">config</code> directory.
For other platforms, a <code class="literal">config</code> directory isn&#8217;t required, but it&#8217;s a best
practice to be consistent.</p>
<p><span class="strong strong"><strong>deb:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">sudo /etc/init.d/logstash start</pre>
</div>
<p><span class="strong strong"><strong>rpm:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">sudo service logstash start</pre>
</div>
<p><span class="strong strong"><strong>mac and linux:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">cd logstash-7.4.2
./bin/logstash -f path/to/config/demo-metrics-pipeline.conf</pre>
</div>
<p><span class="strong strong"><strong>brew:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">logstash -f path/to/config/demo-metrics-pipeline.conf</pre>
</div>
<p><span class="strong strong"><strong>win:</strong></span></p>
<div class="pre_wrapper lang-sh">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-sh">bin\logstash.bat -f path\to\config\demo-metrics-pipeline.conf</pre>
</div>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you receive JVM error messages, check your Java version as shown in
<a href="/guide/en/logstash/7.4/installing-logstash.html" class="ulink" target="_top">Installing Logstash</a>.</p>
</div>
</div>
<p>Logstash starts listening for events from the Beats input. Next you need to
configure Metricbeat to send events to Logstash.</p>
<div class="position-relative"><h4><a id="_configure_metricbeat_to_send_events_to_logstash"></a>Configure Metricbeat to send events to Logstash</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>Metricbeat sends events to Elasticsearch by default. To send events to Logstash, modify the
Metricbeat configuration file, <code class="literal">metricbeat.yml</code>. You&#8217;ll find this file under
the Metricbeat install directory, <code class="literal">/etc/metricbeat</code> for rpm and deb, or
<code class="literal">/usr/local/etc/metricbeat</code> for brew.</p>
<p>Disable the <code class="literal">output.elasticsearch</code> section by commenting it out, then enable
the <code class="literal">output.logstash</code> section by uncommenting it:</p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
.
.
.
#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]</pre>
</div>
<p>Save the file, then restart Metricbeat to apply the configuration changes.</p>
<p>Logstash reads from the Beats input and indexes events into Elasticsearch. You haven&#8217;t
defined a filter section yet, so Logstash simply forwards events to Elasticsearch without
additional processing. Next, you learn how to define the filter stage.</p>
<div class="position-relative"><h4><a id="logstash-filter"></a>Define a filter to extract data from a field</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>The system metrics collected by Metricbeat include a field called <code class="literal">cmdline</code>
that contains the full command-line arguments used to start system processes.
For example:</p>
<div class="pre_wrapper lang-json">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-json">"cmdline": "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container -childID 3
-isForBrowser -boolPrefs 36:1|299:0| -stringPrefs 285:38;{b77ae304-9f53-a248-8bd4-a243dbf2cab1}| -schedulerPrefs
0001,2 -greomni /Applications/Firefox.app/Contents/Resources/omni.ja -appomni
/Applications/Firefox.app/Contents/Resources/browser/omni.ja -appdir
/Applications/Firefox.app/Contents/Resources/browser -profile
/Users/dedemorton/Library/Application Support/Firefox/Profiles/mftvzeod.default-1468353066634
99468 gecko-crash-server-pipe.99468 org.mozilla.machname.1911848630 tab"</pre>
</div>
<p>Rather than sending the whole command-line argument to Elasticsearch, you might want to
send just the command&#8217;s path. One way to do that is by using a Grok filter.
Learning Grok is beyond the scope of this getting started guide, but if you want
to learn more, see the
<a href="/guide/en/logstash/7.4/plugins-filters-grok.html" class="ulink" target="_top">Grok filter plugin</a> documentation.</p>
<p>To extract the path, add the following Grok filter between the input and output
sections in the Logstash config file that you created earlier:</p>
<div class="pre_wrapper lang-ruby">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-ruby">filter {
  if [system][process] {
    if [system][process][cmdline] {
      grok {
        match =&gt; { <a id="CO1-1"></a><i class="conum" data-value="1"></i>
          "[system][process][cmdline]" =&gt; "^%{PATH:[system][process][cmdline_path]}"
        }
        remove_field =&gt; "[system][process][cmdline]" <a id="CO1-2"></a><i class="conum" data-value="2"></i>
      }
    }
  }
}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO1-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>Uses a pattern to match the path, then stores the path in a field called
<code class="literal">cmdline_path</code>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO1-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>Removes the original field, <code class="literal">cmdline</code>, so it&#8217;s not indexed in Elasticsearch.</p>
</td>
</tr>
</table>
</div>
<p>When you&#8217;re done, the full configuration file should look like this:</p>
<div class="pre_wrapper lang-ruby">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-ruby">input {
  beats {
    port =&gt; 5044
  }
}

filter {
  if [system][process] {
    if [system][process][cmdline] {
      grok {
        match =&gt; {
          "[system][process][cmdline]" =&gt; "^%{PATH:[system][process][cmdline_path]}"
        }
        remove_field =&gt; "[system][process][cmdline]"
      }
    }
  }
}

output {
  elasticsearch {
    hosts =&gt; "localhost:9200"
    manage_template =&gt; false
    index =&gt; "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}</pre>
</div>
<p>Restart Logstash to pick up the changes. The event now includes a field called
<code class="literal">cmdline_path</code> that contains the command path:</p>
<div class="pre_wrapper lang-ruby">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-ruby">"cmdline_path": "/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container"</pre>
</div>
<div class="position-relative"><h4><a id="whats_next"></a>What&#8217;s next?</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/stack-docs/edit/7.4/docs/en/getting-started/get-started-stack.asciidoc">edit</a></div>
<p>Congratulations! You&#8217;ve successfully set up the Elastic Stack. You learned how to
stream system metrics to Elasticsearch and visualize the data in Kibana. You also learned
how to use Logstash to filter events collected by Metricbeat.</p>
<p>Next, you&#8217;ll want to set up the Elastic Stack security features and activate your
trial license so you can unlock the full capabilities of the Elastic Stack. To learn
how, read:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a href="/guide/en/elasticsearch/reference/7.4/elasticsearch-security.html" class="ulink" target="_top">Securing the Elastic Stack</a>
</li>
<li class="listitem">
<a href="/guide/en/elastic-stack-overview/7.4/license-management.html" class="ulink" target="_top">License Management</a>
</li>
</ul>
</div>
<p>Want to get up and running quickly with infrastructure metrics monitoring and
centralized log analytics? Try out the
<a href="/guide/en/infrastructure/guide/7.4/infrastructure-ui-overview.html" class="ulink" target="_top">Infrastructure</a> and
<a href="/guide/en/infrastructure/guide/7.4/logs-ui-overview.html" class="ulink" target="_top">Logs</a> UIs
in Kibana. For setup details, see the <a href="/guide/en/infrastructure/guide/7.4/index.html" class="ulink" target="_top">Infrastructure
Monitoring Guide</a>.</p>
<p>Later, when you&#8217;re ready to set up a production environment, also see the
<a href="/guide/en/elastic-stack/7.4/installing-elastic-stack.html" class="ulink" target="_top">Elastic Stack Installation and Upgrade
Guide</a>.</p>
</div>
</div>
</div><div class="navfooter">
<span class="prev">
</span>
<span class="next">
<a href="get-started-docker.html">Running the Elastic Stack on Docker »</a>
</span>
</div>

                  <!-- end body -->
                </div>

                <div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
                  <div id="sticky_content">
                    <!-- The OTP is appended here -->
                    <div class="row">
                      <div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
                      <div class="col-12 col-md-8 col-lg-12">
                        <div id="rtpcontainer">
                          <div class="mktg-promo" id="most-popular">
                            <p class="aside-heading">Most Popular</p>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-elasticsearch?page=docs&placement=top-video">
                                <p class="mb-0">Get Started with Elasticsearch</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-kibana?page=docs&placement=top-video">
                                <p class="mb-0">Intro to Kibana</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/introduction-elk-stack?page=docs&placement=top-video">
                                <p class="mb-0">ELK for Logs & Metrics</p>
                              </a>
                            </div>
                          </div>
                        </div>

                        <!-- Feedback widget -->
                        <div id="feedbackWidgetContainer"></div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


        <div id='elastic-footer'></div>
        <script src='https://www.elastic.co/elastic-footer.js'></script>
        <!-- Footer Section end-->

      </section>
    </div>

    <!-- Feedback modal -->
    <div id="feedbackModalContainer"></div>

    <script src="/guide/static/jquery.js"></script>
    <script type="text/javascript" src="/guide/static/docs-v1.js"></script>
    <script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>