How to install Logstash on Ubuntu or Debian

Installing Logstash on Ubuntu or Debian adds a service-managed event pipeline for collecting, transforming, and routing logs before they land in Elasticsearch, queues, or other downstream systems. Using the packaged install also keeps upgrades, restarts, and failure recovery aligned with the host's normal systemd workflow.

The current Elastic DEB package installs Logstash under /usr/share/logstash, keeps settings in /etc/logstash, stores pipeline definitions through /etc/logstash/conf.d and /etc/logstash/pipelines.yml, writes runtime data to /var/lib/logstash, writes service logs to /var/log/logstash, and includes a bundled JDK. The packaged service runs as logstash.service, and the local monitoring API normally answers on 127.0.0.1 within the default 9600-9700 range.

Elastic splits the APT repository by major version, so current package installs use the 9.x track and a dedicated keyring file such as /usr/share/keyrings/elastic-keyring.gpg. Package installation does not start Logstash automatically or create a working ingest pipeline, and Elastic's support matrix still matters for older distro releases, so unsupported Ubuntu or Debian versions may need an earlier stack line or a different install method. Initial checks are best kept on localhost so the monitoring API does not expose host or version details more broadly than necessary.

1. Import the Elastic signing key into a dedicated APT keyring.

   $ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg

   No command output usually means the keyring file was written successfully. Using a keyring file keeps the setup on the current supported path instead of the deprecated apt-key workflow.

2. Install apt-transport-https if the host still lacks HTTPS APT transport support.

   $ sudo apt-get install apt-transport-https
   Reading package lists... Done
   Building dependency tree... Done
   Reading state information... Done
   apt-transport-https is already the newest version.

   Current Ubuntu releases already include HTTPS APT transport support, so this step is most relevant on older or minimal Debian systems.

3. Save the official Elastic APT repository definition.

   $ echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-9.x.list
   deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/9.x/apt stable main

   Use a single deb entry written directly to the file. Elastic warns against add-apt-repository here because it also adds a deb-src line, but this repository does not publish source packages.

4. Refresh the local APT package index.

   $ sudo apt-get update
   Get:1 https://artifacts.elastic.co/packages/9.x/apt stable InRelease [3249 B]
   Get:2 https://artifacts.elastic.co/packages/9.x/apt stable/main amd64 Packages [152 kB]
   ##### snipped #####
   Reading package lists... Done

   The architecture label in the package list line reflects the local host, such as amd64 or arm64.

5. Confirm APT can see the current Logstash package before installing it.

   $ apt-cache policy logstash
   logstash:
     Installed: (none)
     Candidate: 1:9.3.2-1
     Version table:
        1:9.3.2-1 500
           500 https://artifacts.elastic.co/packages/9.x/apt stable/main amd64 Packages

   The exact candidate version changes as Elastic publishes new 9.x releases, but the repository path remains 9.x until the next major series.

6. Install the Logstash package.

   $ sudo apt-get install logstash
   ##### snipped #####
   Setting up logstash (1:9.3.2-1) ...

   The package creates /etc/logstash, /var/lib/logstash, /var/log/logstash, and the packaged systemd unit as part of the install.

7. Confirm the installed Logstash version.

   $ /usr/share/logstash/bin/logstash --version
   logstash 9.3.2

   The bundled JDK under /usr/share/logstash/jdk is part of the packaged install, so a separate Java package is not usually required.

8. Enable and start the Logstash service.

   $ sudo systemctl enable --now logstash.service
   Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service -> /lib/systemd/system/logstash.service.

   Package installation does not start the service automatically.

   Related: How to manage the Logstash service with systemctl in Linux

9. Verify the service is running.

   $ sudo systemctl status logstash.service --no-pager --lines=0
   ● logstash.service - logstash
        Loaded: loaded (/lib/systemd/system/logstash.service; enabled; preset: enabled)
        Active: active (running) since Wed 2026-04-08 00:31:57 UTC; 8s ago
      Main PID: 22164 (java)
   ##### snipped #####

   

   Some merged-usr hosts show the packaged unit path as /usr/lib/systemd/system/logstash.service instead, but the service name remains logstash.service.

   Related: How to manage the Logstash service with systemctl in Linux

10. Confirm the monitoring API is responding.

    $ curl -s http://127.0.0.1:9600/?pretty
    {
      "host" : "logstash-01",
      "version" : "9.3.2",
      "http_address" : "127.0.0.1:9600",
      "status" : "green"
    }

    Current package installs bind the API to 127.0.0.1 by default, and api.http.port uses the 9600-9700 range if 9600 is already in use.

    Expose the monitoring API only behind a firewall or explicit reverse-proxy controls, because it reveals host and version details that are not needed on public interfaces.

    Related: How to configure Logstash pipelines