Install ELK Stack on CentOS 7 / Fedora 36/35/34/33

Posted on 29 views

How can I install ELK Stack on CentOS 7 / Fedora 36/35/34/33?. “ELK” is the acronym for Elasticsearch, Logstash, and Kibana. A short description of these tools is covered in the next block.

  • Elasticsearch: This is an open source, distributed, RESTful, JSON-based search engine. It is scalable, easy to use, and flexible
  • Logstash : This is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch.
  • Kibana lets users visualize data with charts and graphs in Elasticsearch.

For RHEL 8, refer to:

Please follow our steps below to install and configure ELK stack tools on CentOS 7 / Fedora 36/35/34/33 Linux.

Step 1: Install Java / OpenJDK

As Elasticsearch depends on Java, you need to install Java on your CentOS 7 / Fedora system.

sudo yum -y install java-openjdk-devel java-openjdk

Confirm installation by checking the version:

$ java -version
openjdk version "1.8.0_332"
OpenJDK Runtime Environment (build 1.8.0_332-b09)
OpenJDK 64-Bit Server VM (build 25.332-b09, mixed mode)

Step 2: Add ELK repository

Once you have Java installed, add ELK stack repository which provides ELK stack packages.

For Elasticsearch 8.x

cat <

For Elasticsearch 7.x

cat <

For Elasticsearch 6.x

cat <

After adding the repo, import GPG key:

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Clear and update your YUM package index.

sudo yum clean all
sudo yum makecache

Step 3: Install and Configure Elasticsearch

Elasticsearch repository is ready for use. You can install Elasticsearch using the command below:

sudo yum -y install vim elasticsearch

Confirm package installation.

$ rpm -qi elasticsearch
Name        : elasticsearch
Epoch       : 0
Version     : 8.2.0
Release     : 1
Architecture: x86_64
Install Date: Thu May 19 20:56:11 2022
Group       : Application/Internet
Size        : 1115332284
License     : Elastic License
Signature   : RSA/SHA512, Wed Apr 20 12:55:44 2022, Key ID d27d666cd88e42b4
Source RPM  : elasticsearch-8.2.0-1-src.rpm
Build Date  : Wed Apr 20 10:42:41 2022
Build Host  : packer-virtualbox-iso-1646848364
Relocations : /usr
Packager    : Elasticsearch
Vendor      : Elasticsearch
URL         : https://www.elastic.co/
....

Elasticsearch 8

Take note of the generated security information:

--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : tzV1Ju5fqnEy3B5+zc5G

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token '
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

-------------------------------------------------------------------------------------------------

To set your own password for elastic user, use the commands below:

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i

You can set JVM options like memory limits by editing the file: /etc/elasticsearch/jvm.options

sudo vi /etc/elasticsearch/jvm.options

Example below sets initial/maximum size of total heap space

-Xms1g
-Xmx1g

If your system has less memory, you can configure it to use small megabytes of ram.

-Xms256m
-Xmx512m

Start and enable elasticsearch service on boot:

$ sudo systemctl enable --now elasticsearch.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.

Test to verify that it is working:

Elasticsearch 8:

$ sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200
Enter host password for user 'elastic':

  "name" : "cent7.novalocal",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "5GFmuAkwQ4Sxrrrg4G-b6A",
  "version" : 
    "number" : "8.2.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "b174af62e8dd9f4ac4d25875e9381ffe2b9282c5",
    "build_date" : "2022-04-20T10:35:10.180408517Z",
    "build_snapshot" : false,
    "lucene_version" : "9.1.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  ,
  "tagline" : "You Know, for Search"

Elasticsearch 7 and below

$ curl http://127.0.0.1:9200 
 
   "name" : "bBzN5Kg",
   "cluster_name" : "elasticsearch",
   "cluster_uuid" : "LKyqXXSvRvCpX9QAwKlP2Q",
   "version" : 
     "number" : "6.5.4",
     "build_flavor" : "default",
     "build_type" : "rpm",
     "build_hash" : "d2ef93d",
     "build_date" : "2018-12-17T21:17:40.758843Z",
     "build_snapshot" : false,
     "lucene_version" : "7.5.0",
     "minimum_wire_compatibility_version" : "5.6.0",
     "minimum_index_compatibility_version" : "5.0.0"
   ,
   "tagline" : "You Know, for Search"
 

Create a test index:

$ curl -X PUT "http://127.0.0.1:9200/mytest_index"
"acknowledged":true,"shards_acknowledged":true,"index":"mytest_index"

Step 4: Install and Configure Kibana

Download and install Kibana from the added Elasticsearch repository.

sudo yum -y install kibana

After a successful installation, configure Kibana:

$ sudo vim /etc/kibana/kibana.yml
server.host: "0.0.0.0"
server.name: "kibana.example.com"

Also set elasticsearch host

elasticsearch.hosts: ["http://localhost:9200"]

Change other settings as desired then start kibana service:

sudo systemctl enable --now kibana

Access http://ip-address:5601 to open Kibana Dashboard:

elasticsearch-kibana-centos7-min-1024x372

If you have an active firewall service, allow TCP port 5601

sudo firewall-cmd --add-port=5601/tcp --permanent
sudo firewall-cmd --reload

Kibana 8 configurations

First generate enrollment token

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

Open Kibana web console on http://serverip:5601 and paste generated token, then hit “Configure Elastic”

elasticsearch-kibana-01-1024x788

A verification code is generated. Run the command below to retrieve the code.

sudo /usr/share/kibana/bin/kibana-verification-code

Type the code from command output

elasticsearch-kibana-02-1024x613

Wait for configuration of Kibana to complete before using it.

elasticsearch-kibana-03-1024x664

Authenticate with elastic as username and password configured earlier.

elasticsearch-kibana-03-1024x664

Step 5: Install and Configure Logstash

The last installation is for Logstash. It will act as a centralized logs server for your client systems which runs an agent like filebeat.

sudo yum -y install logstash

Logstash custom configurations can be placed under the /etc/logstash/conf.d/directory.

Check Logstash Configuration manual for more details.

Step 6: Install other ELK tools – Bonus

Other ELK tools that can be installed include:

  • Filebeat: Lightweight Shipper for Logs. It helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files
  • Metricbeat: Collect metrics from your systems and services. From CPU to memory, Redis to NGINX, and much more, Metricbeat is a lightweight way to send system and service statistics.
  • Packetbeat: Lightweight Shipper for Network Data
  • Heartbeat: Lightweight Shipper for Uptime Monitoring. It helps you monitor services for their availability with active probing
  • Auditbeat: Lightweight shipper that helps you audit the activities of users and processes on your systems

These tools can be installed with yum package manager using their respective names. The example below will install all ELK addon tools.

sudo yum install filebeat auditbeat metricbeat packetbeat heartbeat-elastic

Refer to official ELK stack documentation and Resources and Training for each tool configuration and further reading.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.