How can I install ELK Stack on CentOS 7 / Fedora 36/35/34/33?. “ELK” is the acronym for Elasticsearch, Logstash, and Kibana. A short description of these tools is covered in the next block.
- Elasticsearch: This is an open source, distributed, RESTful, JSON-based search engine. It is scalable, easy to use, and flexible
- Logstash : This is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch.
- Kibana lets users visualize data with charts and graphs in Elasticsearch.
For RHEL 8, refer to:
Please follow our steps below to install and configure ELK stack tools on CentOS 7 / Fedora 36/35/34/33 Linux.
Step 1: Install Java / OpenJDK
As Elasticsearch depends on Java, you need to install Java on your CentOS 7 / Fedora system.
sudo yum -y install java-openjdk-devel java-openjdkConfirm installation by checking the version:
$ java -version
openjdk version "1.8.0_332"
OpenJDK Runtime Environment (build 1.8.0_332-b09)
OpenJDK 64-Bit Server VM (build 25.332-b09, mixed mode)Step 2: Add ELK repository
Once you have Java installed, add ELK stack repository which provides ELK stack packages.
For Elasticsearch 8.x
cat <For Elasticsearch 7.x
cat <For Elasticsearch 6.x
cat <After adding the repo, import GPG key:
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearchClear and update your YUM package index.
sudo yum clean all
sudo yum makecacheStep 3: Install and Configure Elasticsearch
Elasticsearch repository is ready for use. You can install Elasticsearch using the command below:
sudo yum -y install vim elasticsearchConfirm package installation.
$ rpm -qi elasticsearch
Name : elasticsearch
Epoch : 0
Version : 8.2.0
Release : 1
Architecture: x86_64
Install Date: Thu May 19 20:56:11 2022
Group : Application/Internet
Size : 1115332284
License : Elastic License
Signature : RSA/SHA512, Wed Apr 20 12:55:44 2022, Key ID d27d666cd88e42b4
Source RPM : elasticsearch-8.2.0-1-src.rpm
Build Date : Wed Apr 20 10:42:41 2022
Build Host : packer-virtualbox-iso-1646848364
Relocations : /usr
Packager : Elasticsearch
Vendor : Elasticsearch
URL : https://www.elastic.co/
....Elasticsearch 8
Take note of the generated security information:
--------------------------- Security autoconfiguration information ------------------------------
Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.
The generated password for the elastic built-in superuser is : tzV1Ju5fqnEy3B5+zc5G
If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token '
after creating an enrollment token on your existing cluster.
You can complete the following actions at any time:
Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.
Generate an enrollment token for Kibana instances with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.
Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.
------------------------------------------------------------------------------------------------- To set your own password for elastic user, use the commands below:
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -iYou can set JVM options like memory limits by editing the file: /etc/elasticsearch/jvm.options
sudo vi /etc/elasticsearch/jvm.optionsExample below sets initial/maximum size of total heap space
-Xms1g
-Xmx1gIf your system has less memory, you can configure it to use small megabytes of ram.
-Xms256m
-Xmx512mStart and enable elasticsearch service on boot:
$ sudo systemctl enable --now elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.Test to verify that it is working:
Elasticsearch 8:
$ sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200
Enter host password for user 'elastic':
"name" : "cent7.novalocal",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "5GFmuAkwQ4Sxrrrg4G-b6A",
"version" :
"number" : "8.2.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "b174af62e8dd9f4ac4d25875e9381ffe2b9282c5",
"build_date" : "2022-04-20T10:35:10.180408517Z",
"build_snapshot" : false,
"lucene_version" : "9.1.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
,
"tagline" : "You Know, for Search"
Elasticsearch 7 and below
$ curl http://127.0.0.1:9200
"name" : "bBzN5Kg",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "LKyqXXSvRvCpX9QAwKlP2Q",
"version" :
"number" : "6.5.4",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "d2ef93d",
"build_date" : "2018-12-17T21:17:40.758843Z",
"build_snapshot" : false,
"lucene_version" : "7.5.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
,
"tagline" : "You Know, for Search"
Create a test index:
$ curl -X PUT "http://127.0.0.1:9200/mytest_index"
"acknowledged":true,"shards_acknowledged":true,"index":"mytest_index"Step 4: Install and Configure Kibana
Download and install Kibana from the added Elasticsearch repository.
sudo yum -y install kibanaAfter a successful installation, configure Kibana:
$ sudo vim /etc/kibana/kibana.yml
server.host: "0.0.0.0"
server.name: "kibana.example.com"Also set elasticsearch host
elasticsearch.hosts: ["http://localhost:9200"]Change other settings as desired then start kibana service:
sudo systemctl enable --now kibanaAccess http://ip-address:5601 to open Kibana Dashboard:
If you have an active firewall service, allow TCP port 5601
sudo firewall-cmd --add-port=5601/tcp --permanent
sudo firewall-cmd --reloadKibana 8 configurations
First generate enrollment token
sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibanaOpen Kibana web console on http://serverip:5601 and paste generated token, then hit “Configure Elastic”
A verification code is generated. Run the command below to retrieve the code.
sudo /usr/share/kibana/bin/kibana-verification-codeType the code from command output
Wait for configuration of Kibana to complete before using it.
Authenticate with elastic as username and password configured earlier.
Step 5: Install and Configure Logstash
The last installation is for Logstash. It will act as a centralized logs server for your client systems which runs an agent like filebeat.
sudo yum -y install logstashLogstash custom configurations can be placed under the /etc/logstash/conf.d/directory.
Check Logstash Configuration manual for more details.
Step 6: Install other ELK tools – Bonus
Other ELK tools that can be installed include:
- Filebeat: Lightweight Shipper for Logs. It helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files
- Metricbeat: Collect metrics from your systems and services. From CPU to memory, Redis to NGINX, and much more, Metricbeat is a lightweight way to send system and service statistics.
- Packetbeat: Lightweight Shipper for Network Data
- Heartbeat: Lightweight Shipper for Uptime Monitoring. It helps you monitor services for their availability with active probing
- Auditbeat: Lightweight shipper that helps you audit the activities of users and processes on your systems
These tools can be installed with yum package manager using their respective names. The example below will install all ELK addon tools.
sudo yum install filebeat auditbeat metricbeat packetbeat heartbeat-elasticRefer to official ELK stack documentation and Resources and Training for each tool configuration and further reading.
