Installing Logstash on Ubuntu or Debian adds a flexible event-processing pipeline for parsing, enriching, and routing logs to destinations such as Elasticsearch, message queues, or flat files.
Logstash is distributed as a package from the official Elastic APT repository, installing a systemd service and the core runtime under /usr/share/logstash with configuration under /etc/logstash (including /etc/logstash/conf.d and /etc/logstash/pipelines.yml). A built-in monitoring API is exposed over HTTP on port 9600 for basic health and version checks.
A running Logstash service does not automatically ship data until at least one pipeline input/output is configured, so installation is typically followed by pipeline configuration and a service restart. Logstash runs on the JVM, so memory usage can be significant on smaller systems, and keeping the monitoring API bound to 127.0.0.1 avoids leaking host/version details beyond the local machine.
Steps to install Logstash on Ubuntu or Debian:
- Store the Elastic signing key in a dedicated APT keyring.
$ curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor --yes -o /usr/share/keyrings/elastic.gpg
Keyring-based signing avoids the deprecated apt-key workflow.
- Create the Elastic APT repository list file for the 8.x packages.
$ echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main
- Refresh APT package metadata.
$ sudo apt update WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Hit:1 https://artifacts.elastic.co/packages/8.x/apt stable InRelease Hit:2 http://ports.ubuntu.com/ubuntu-ports noble InRelease Hit:3 http://ports.ubuntu.com/ubuntu-ports noble-updates InRelease Hit:4 http://ports.ubuntu.com/ubuntu-ports noble-backports InRelease Hit:5 http://ports.ubuntu.com/ubuntu-ports noble-security InRelease Reading package lists... Building dependency tree... Reading state information... 2 packages can be upgraded. Run 'apt list --upgradable' to see them.
- Install the Logstash package.
$ sudo apt install --assume-yes logstash WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Reading package lists... Building dependency tree... Reading state information... logstash is already the newest version (1:8.19.9-1). 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.
- Enable the Logstash service to start automatically at boot.
$ sudo systemctl enable logstash Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /usr/lib/systemd/system/logstash.service.
- Start the Logstash service.
$ sudo systemctl start logstash
- Verify the service is running and not restarting.
$ sudo systemctl status logstash --no-pager ● logstash.service - logstash Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled) Active: active (running) since Wed 2026-01-07 04:23:00 UTC; 24min ago ##### snipped #####
- Confirm the monitoring API is responding on 9600.
$ curl -s http://127.0.0.1:9600/?pretty { "host" : "host", "version" : "8.19.9", "http_address" : "127.0.0.1:9600", "id" : "3723b694-8264-4225-a32b-a201e0fcb5dc", "name" : "0.0.0.0", "ephemeral_id" : "89fbf22c-3cce-44b0-a124-7c12c3089764", "snapshot" : false, "status" : "green", "pipeline" : { "workers" : 10, "batch_size" : 125, "batch_delay" : 50 }, "build_date" : "2025-12-10T14:02:50+00:00", "build_sha" : "19f7f492af390443f29a825dd737fc7599a9576f", "build_snapshot" : false }Exposing the monitoring API on a public interface can leak host and version details; keep it bound to 127.0.0.1 or restrict access with a firewall.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
