Checking Elastic Stack health across ingestion, indexing, and visualization layers reveals broken log pipelines before dashboards, alerts, and incident timelines lose fidelity.
Filebeat harvests log files and publishes events to Logstash or directly to Elasticsearch, where shard allocation and cluster state determine whether indexing stays available. Kibana depends on Elasticsearch and exposes a status API that summarizes core and plugin readiness.
Each component provides lightweight HTTP endpoints suitable for quick checks and monitoring polls, but access frequently requires authentication and TLS (especially on Elasticsearch 8.x). The local monitoring endpoints for Filebeat and Logstash can leak operational details if exposed beyond localhost, so bind and firewall them as internal-only interfaces.
Steps to check Elastic Stack health across Filebeat, Logstash, Elasticsearch, and Kibana:
- Check Elasticsearch cluster health.
$ curl --silent --show-error --max-time 10 --user elastic:password --cacert /etc/elasticsearch/certs/http_ca.crt 'https://localhost:9200/_cluster/health?pretty' { "cluster_name" : "elastic-cluster", "status" : "green", "timed_out" : false, "number_of_nodes" : 3, "number_of_data_nodes" : 3, "active_primary_shards" : 128, "active_shards" : 256, "relocating_shards" : 0, "initializing_shards" : 0, "unassigned_shards" : 0, "delayed_unassigned_shards" : 0, "number_of_pending_tasks" : 0, "number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0, "active_shards_percent_as_number" : 100.0 }status values: green means all primary and replica shards are assigned, yellow means one or more replicas are unassigned, and red means one or more primary shards are unassigned.
- List unassigned shards to locate allocation failures.
$ curl --silent --show-error --max-time 10 --user elastic:password --cacert /etc/elasticsearch/certs/http_ca.crt 'https://localhost:9200/_cat/shards?v=true&h=index,shard,prirep,state,unassigned.reason,node' index shard prirep state unassigned.reason node filebeat-8.11.1-2026.01.02-000001 0 p STARTED - es-data-01 filebeat-8.11.1-2026.01.02-000001 0 r STARTED - es-data-02 filebeat-8.11.1-2026.01.02-000001 1 p STARTED - es-data-02 filebeat-8.11.1-2026.01.02-000001 1 r UNASSIGNED CLUSTER_RECOVERED -
Prioritize UNASSIGNED primary shards (prirep = p) because indexing and search fail for affected indices.
- Check Logstash pipeline metrics.
$ curl --silent --show-error --max-time 10 'http://localhost:9600/_node/stats/pipelines?pretty' { "host" : "logstash-host", "version" : "8.11.1", "http_address" : "127.0.0.1:9600", "id" : "b5f3e7e9-9c21-4a18-a35f-7a4c5d2a4a0b", "pipelines" : { "main" : { "events" : { "in" : 245102, "filtered" : 245102, "out" : 245102, "duration_in_millis" : 1287345, "queue_push_duration_in_millis" : 48210 }, "reloads" : { "successes" : 3, "failures" : 0 }, "queue" : { "type" : "memory", "events_count" : 0 } } } }events.in and events.out increasing together indicates steady throughput; a growing queue.events_count or stalled events.out indicates backpressure toward outputs such as Elasticsearch.
Exposing the Logstash monitoring API beyond localhost reveals pipeline metadata and event rates; restrict bind address and firewall access.
- Check Filebeat runtime stats from the HTTP endpoint.
$ curl --silent --show-error --max-time 10 http://localhost:5066/stats { "beat": { "info": { "name": "filebeat-host", "version": "8.11.1", "uptime": { "ms": 913245 } }, "runtime": { "goroutines": 52 } }, "libbeat": { "pipeline": { "events": { "published": 18492, "filtered": 18492, "dropped": 0, "retry": 0, "total": 18492 } }, "output": { "type": "elasticsearch", "events": { "acked": 18492, "active": 0, "batches": 92, "total": 18492 } } }, "filebeat": { "events": { "added": 18492, "done": 18492 }, "harvester": { "running": 4, "open_files": 4 } } }A rising libbeat.output.events.acked with libbeat.pipeline.events.dropped near 0 indicates successful publishing to the configured output.
Exposing the Filebeat HTTP endpoint beyond localhost leaks internal metrics and can aid attackers; restrict bind address and firewall access.
- Check Kibana status API.
$ curl --silent --show-error --max-time 10 --user elastic:password http://localhost:5601/api/status { "overall" : { "level" : "available", "summary" : "All services are available", "since" : "2026-01-02T09:35:12.123Z" } }overall.level typically reports available, degraded, or unavailable to reflect overall Kibana readiness.
Related: How to check Kibana status
- Confirm end-to-end ingestion by querying the newest event in an expected index pattern.
$ curl --silent --show-error --max-time 10 --user elastic:password --cacert /etc/elasticsearch/certs/http_ca.crt \ --request POST 'https://localhost:9200/filebeat-*/_search?pretty' \ --header 'Content-Type: application/json' \ --data '{"size":1,"sort":[{"@timestamp":"desc"}]}' { "hits" : { "total" : { "value" : 152398, "relation" : "eq" }, "hits" : [ { "_index" : "filebeat-8.11.1-2026.01.02-000001", "_source" : { "@timestamp" : "2026-01-02T09:41:17.392Z" ##### snipped ##### } } ] } }Replace filebeat-* with the index pattern used by the pipeline output, such as logs-* or a custom index name.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
