How to Perform ELK Server Backup, Restore, and Recovery (Elasticsearch 7.17.x)
Introduction
This guide explains how to restore an ELK (Elasticsearch, Logstash, Kibana) stack from backup in a clean, structured, and production-safe manner.It is designed as a Disaster Recovery (DR) Runbook, suitable for system administrators managing ELK in production environments.
Prerequisites
- Ubuntu 20.04 / 22.04 server (recommended)
- Root or sudo access
- Internet access (for package installation)
- AWS S3 access (for backup restore)
- Same major ELK version (7.17.x)
Backup Scope
Included in Backup
1. Elasticsearch data (/var/lib/elasticsearch)
2. Elasticsearch configuration
3. Logstash pipelines & config
4. Kibana configuration
5. Nginx configuration
Not Included
1. Operating system
2. Installed system packages
3. Java runtime
4. System users and permissions
5. Kernel or OS-level tuning
Step 1:
Update system repositories:
| $ apt update |
Install Java (required for ELK tools):
| $ apt install openjdk-11-jdk -y $ java -version |
Step 2:
Install Elasticsearch (Same Version)
Add Elastic repository:
| $ wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg –dearmor -o /usr/share/keyrings/elastic-keyring.gpg $ echo “deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee /etc/apt/sources.list.d/elastic-7.x.list $ sudo apt update $ apt install elasticsearch=7.17.0 -y $ /usr/share/elasticsearch/bin/elasticsearch –version |
Step 3:
Install Logstash
| $ apt install logstash -y $ /usr/share/logstash/bin/logstash –version |
Step 4:
Install Kibana
| $ apt install kibana -y $ /usr/share/kibana/bin/kibana –version |
Step 5:
Stop All Services Before Restore
| $ systemctl stop elasticsearch $ systemctl stop logstash $ systemctl stop kibana $ systemctl stop nginx |
Step 6:
Restore Backup from S3
Install AWS CLI
| $ apt install awscli -y $ aws configure |
Download Backup Files
| $ mkdir -p /restore $ aws s3 sync s3:///elk-backup/ /restore/ |
Step 7:
Restore Elasticsearch Data (Critical Step)
Backup Empty Directory (Safety)
| $ mv /var/lib/elasticsearch /var/lib/elasticsearch.empty |
Restore Data
Never start Elasticsearch before restoring data.
| $ cp -a /restore/var/lib/elasticsearch /var/lib/ $ chown -R elasticsearch:elasticsearch /var/lib/elasticsearch $ chmod -R 750 /var/lib/elasticsearch |
Step 8:
Restore Configuration Files
| $ cp -a /restore/etc/elasticsearch/* /etc/elasticsearch/ $ cp -a /restore/etc/logstash/* /etc/logstash/ $ cp -a /restore/etc/kibana/* /etc/kibana/ $ cp -a /restore/etc/nginx/* /etc/nginx/ |
Fix permissions:
| $ chown -R elasticsearch:elasticsearch /etc/elasticsearch $ chown -R logstash:logstash /etc/logstash $ chown -R kibana:kibana /etc/kibana |
Step 9:
Start Elasticsearch
| $ systemctl start elasticsearch $ journalctl -u elasticsearch -f |
Step 10:
Start Kibana
| $ systemctl restart kibana $ journalctl -u kibana -f |
Verify:
| $ ss -lntp | grep 5601 $ curl http://localhost:5601 |
Step 11:
Start Remaining Services
| $ systemctl start logstash $ systemctl start nginx $ systemctl status logstash kibana nginx |
Step 12:
Verify Kibana UI
| http://111.123.123.11:5601 |
