Elastic Stack (ELK)
What is Elastic Stack (ELK)?
Elastic Stack (ELK)An open-source platform from Elastic N.V. combining Elasticsearch, Logstash, Kibana, and Beats for ingesting, indexing, searching, and visualizing security and operational logs at scale.
The Elastic Stack — historically called ELK — is a suite developed by Elastic N.V. centered on Elasticsearch (distributed Lucene-based search and analytics engine), Logstash (server-side ingestion and parsing pipeline), Kibana (visualization and dashboarding), and Beats (lightweight shippers such as Filebeat, Winlogbeat, Auditbeat). Since 2021 the core is dual-licensed under Elastic License 2.0 and SSPL, while AWS forked it as the Apache 2.0 OpenSearch project. Security teams use the stack as a SIEM through Elastic Security, which adds prebuilt detection rules, ATT&CK mappings, the Elastic Agent, EDR (formerly Endgame), and SOAR via Elastic Cases. Wazuh, Security Onion, and many MDRs are built on top of the Elastic or OpenSearch line.
● Examples
- 01
Shipping Windows event logs with Winlogbeat to Elasticsearch and triggering Elastic Security detection rules.
- 02
Using Kibana Lens to build a dashboard of failed SSH logins per country.
● Frequently asked questions
What is Elastic Stack (ELK)?
An open-source platform from Elastic N.V. combining Elasticsearch, Logstash, Kibana, and Beats for ingesting, indexing, searching, and visualizing security and operational logs at scale. It belongs to the Defense & Operations category of cybersecurity.
What does Elastic Stack (ELK) mean?
An open-source platform from Elastic N.V. combining Elasticsearch, Logstash, Kibana, and Beats for ingesting, indexing, searching, and visualizing security and operational logs at scale.
How does Elastic Stack (ELK) work?
The Elastic Stack — historically called ELK — is a suite developed by Elastic N.V. centered on Elasticsearch (distributed Lucene-based search and analytics engine), Logstash (server-side ingestion and parsing pipeline), Kibana (visualization and dashboarding), and Beats (lightweight shippers such as Filebeat, Winlogbeat, Auditbeat). Since 2021 the core is dual-licensed under Elastic License 2.0 and SSPL, while AWS forked it as the Apache 2.0 OpenSearch project. Security teams use the stack as a SIEM through Elastic Security, which adds prebuilt detection rules, ATT&CK mappings, the Elastic Agent, EDR (formerly Endgame), and SOAR via Elastic Cases. Wazuh, Security Onion, and many MDRs are built on top of the Elastic or OpenSearch line.
How do you defend against Elastic Stack (ELK)?
Defences for Elastic Stack (ELK) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Elastic Stack (ELK)?
Common alternative names include: ELK, ELK Stack, Elastic SIEM.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 1225
Wazuh
An open-source XDR and SIEM platform — a 2015 fork of OSSEC — that unifies endpoint, cloud, and container telemetry with built-in dashboards on the Wazuh Indexer and Dashboard.
- defense-ops№ 997
Security Onion
A free, open-source Linux distribution for threat hunting, network security monitoring, and log management, created by Doug Burks and maintained by Security Onion Solutions.
- forensics-ir№ 627
Log Analysis
The systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events.
- defense-ops№ 1080
Splunk Enterprise Security
A commercial SIEM solution from Splunk Inc. (acquired by Cisco in 2024) that ingests, indexes, and correlates machine data using the Splunk Processing Language (SPL) for security monitoring and investigation.
- defense-ops№ 1062
SOAR
A platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.