Install ELK Stack - Introduction
Welcome to this guide where we shall demonstrate how to deploy ELK stack on Rocky Linux 8. ELK is an acronym for three open source projects that came together to build a full stack of the monitoring solution.
The project comprises of the following elements:
- Elasticsearch - This is an analytics engine that is used to analyze logs.
- Logstash - This is the tool used for processing of the logs and aligning them so that they can be indexed by Elasticsearch.
- Kibana - This is the web interface that functions as the front-end of the entire stack. You can gain access to dashboards where you can visualize metrics indexed by the Elasticsearch engine.
We also have Beats that are responsible for shipping different kinds of logs and metrics to the Elasticsearch engine. Some of them are:
- Filebeat
- Metricbeat
- Winbeat
Lab Environment and Pre-requisites
This guide will discuss how to set up an ELK stack on Rocky Linux 8. Below are some of the minimal requirements that are needed before you can set up your stack.
- Rocky Linux 8 instance
- OpenJDK
- 2 CPU cores
- 4 GB RAM
- root user level access
Step-1: Install Elasticsearch
Follow the steps below to install ELK on Rocky Linux 8.
Install OpenJDK
Install Java Development Kit on Rocky Linux 8.
sudo dnf -y install java-openjdk-devel java-openjdk
Install Elasticsearch 7.x
To install Elasticsearch, we need to configure the repository on Rocky Linux 8. Run the command below to achieve that:
cat <<EOF | sudo tee /etc/dnf.repos.d/elasticsearch.repo [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/dnf gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Import the GPG key for Elasticsearch
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Update system cache:
sudo dnf clean all sudo dnf makecache
Then install Elasticsearch 7.x on Rocky Linux 8:
[vic@rocky ~]$ sudo dnf -y install elasticsearch
Veriy the installed version of Elasticsearch:
[vic@rocky ~]$ sudo rpm -qi elasticsearch
Sample Output:
Configure Elasticsearch
Modify the cluster name for Elasticsearch. Also make sure you uncomment the network.host option and add the IP of your Elasticsearch host for port binding only if you are setting up a multi-node cluster.
$ sudo vim /etc/elasticsearch/elasticsearch.yml # ---------------------------------- Cluster ----------------------------------- # # Use a descriptive name for your cluster: # cluster.name: my-elk-cluster # # ---------------------------------- Network ----------------------------------- # # By default Elasticsearch is only accessible on localhost. Set a different # address here to expose this node on the network: # network.host: 172.29.10.15 # # By default Elasticsearch listens for HTTP traffic on the first free port it # finds starting at 9200. Set a specific HTTP port here: # #http.port: 9200 # # For more information, consult the network module documentation.
Start and enable Elasticsearch service through systemd
sudo systemctl enable --now elasticsearch.service
Verify that the service has started successfully
[vic@rocky ~]$ systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2021-09-09 21:38:27 EAT; 7s ago
Docs: https://www.elastic.co
Main PID: 52063 (java)
Tasks: 66 (limit: 6001)
Memory: 642.5M
CGroup: /system.slice/elasticsearch.service
├─52063 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encodi>
└─52228 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller
Sep 09 21:37:59 rocky systemd[1]: Starting Elasticsearch...
Sep 09 21:38:27 rocky systemd[1]: Started Elasticsearch.
lines 1-13/13 (END)
Confirm that the service is up and reachable through cURL.
[vic@rocky ~]$ curl http://127.0.0.1:9200
Sample Output:
You can also check if indexing is working by running a HTTP GET command as shown below:
[vic@rocky ~]$ curl -X GET "localhost:9200"
Sample Output:
Step-2: Install and Configure Logstash
The next step to install ELK Stack is to install Logstash on Rocky Linux 8. Logstash project is available at the Elasticsearch repository. This means that we wont be required to configure the repo again. We shall just download and install directly using the YUM/DNF package managers.
[vic@rocky ~]$ sudo dnf install logstash -y
After a successful installation, we need to edit the configuration file for Logstash to add the Input and output variables as shown below. We will also be required to point the Logstash application to the Elasticsearch application that is running on the same host on port 9200. Note that you can also run Logstash on a different server from Elasticsearch's.
$ sudo vi /etc/logstash/conf.d/logstash.conf input { beats { port => 5044 } } output { elasticsearch { hosts => ["localhost:9200"] manage_template => false index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" } }
Start and enable the Logstash service:
sudo systemctl enable --now logstash
Check and verify the status of the Logstash service:
[vic@rocky ~]$ sudo systemctl status logstash
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2021-09-09 21:45:35 EAT; 22s ago
Main PID: 52516 (java)
Tasks: 14 (limit: 6001)
Memory: 384.9M
CGroup: /system.slice/logstash.service
└─52516 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 >
Sep 09 21:45:35 rocky systemd[1]: Started logstash.
Sep 09 21:45:35 rocky logstash[52516]: Using bundled JDK: /usr/share/logstash/jdk
Sep 09 21:45:36 rocky logstash[52516]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sep 09 21:45:47 rocky logstash[52516]: /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/bundler-1.17.3/lib/bundler/rubygems_integration.rb:200: warning: constant Gem::ConfigMap is deprecated
Step-3: Install and Configure Kibana
After a successful setup of the two projects above, the next step to install ELK Stack is now to set up the dashboard, Kibana.
$ sudo dnf -y install kibana
Configure Port binding of Kibana to use any IP or a specific IP. In this guide, I shall configure Kibana to liesten to any IP.
$ sudo vim /etc/kibana/kibana.yml server.host: "0.0.0.0" elasticsearch.url: "http://localhost:9200"
Start and enable Kibana.
sudo systemctl enable --now kibana
Verify the service status:
[vic@rocky ~]$ systemctl status kibana
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2021-09-09 22:09:11 EAT; 1min 31s ago
Docs: https://www.elastic.co
Main PID: 52892 (node)
Tasks: 18 (limit: 6001)
Memory: 189.0M
CGroup: /system.slice/kibana.service
├─52892 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid
└─52904 /usr/share/kibana/node/bin/node --preserve-symlinks-main --preserve-symlinks /usr/share/kibana/src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid
Sep 09 22:09:11 rocky systemd[1]: Started Kibana.
Allow Kibana port through the firewall.
sudo firewall-cmd --permanent --add-port=5601/tcp sudo firewall-cmd --reload
Step-4: Shipping Logs to ELK stack using Filebeat
In this guide after we install ELK Stack, we shall discuss how to ship logs to ELK stack using Filebeat. To install Filebeat on Rocky Linux 8, run the command below:
sudo dnf install filebeat
Filebeat comprises of modules that are used to ship different types of logs on Linux systems. You can list the available modules and enable them according to what you wish to enable.
sudo filebeat modules list
To enable a module, run the command below specifying the module you wish to enable:
sudo filebeat modules enable <module>
Initialize filebeat with the command below:
[vic@rocky ~]$ sudo filebeat modules enable system Enabled system [root@rocky ~]# sudo filebeat setup Overwriting ILM policy is disabled. Set `setup.ilm.overwrite: true` for enabling. Index setup finished. Loading dashboards (Kibana must be running and reachable) Loaded dashboards Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead. See more: https://www.elastic.co/guide/en/machine-learning/current/index.html Loaded machine learning job configurations Loaded Ingest pipelines
Run the command below to load the filebeat module and connect to the ELK instance:
[vic@rocky ~]$ filebeat -e 2021-09-09T22:44:15.393+0300 INFO instance/beat.go:665 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] 2021-09-09T22:44:15.395+0300 INFO instance/beat.go:673 Beat ID: bfa28747-655b-4753-87d2-ef5adcb5d7ab 2021-09-09T22:44:15.402+0300 INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed .... 2021-09-09T22:44:18.917+0300 INFO [esclientleg] eslegclient/connection.go:273 Attempting to connect to Elasticsearch version 7.14.1 2021-09-09T22:44:19.090+0300 INFO [esclientleg] eslegclient/connection.go:273 Attempting to connect to Elasticsearch version 7.14.1 2021-09-09T22:44:19.202+0300 INFO [index-management] idxmgmt/std.go:261 Auto ILM enable success. 2021-09-09T22:44:19.603+0300 INFO [index-management.ilm] ilm/std.go:160 ILM policy filebeat exists already. 2021-09-09T22:44:19.617+0300 INFO [index-management] idxmgmt/std.go:401 Set setup.template.name to '{filebeat-7.14.1 {now/d}-000001}' as ILM is enabled. 2021-09-09T22:44:19.703+0300 INFO template/load.go:111 Template "filebeat-7.14.1" already exists and will not be overwritten. 2021-09-09T22:44:19.703+0300 INFO [index-management] idxmgmt/std.go:297 Loaded index template. 2021-09-09T22:44:19.798+0300 INFO [index-management.ilm] ilm/std.go:121 Index Alias filebeat-7.14.1 exists already. 2021-09-09T22:44:19.811+0300 INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(http://localhost:9200)) established
Start Filebeat service:
sudo systemctl start filebeat
Step-5: Access ELK dashboard through Kibana
Access the ELK dashboard on your web browser at http://server-IP:5601
You can now visualize system logs for the modules you enabled using Filebeat from the dashboard.
What's Next
#1-ELK Stack: Configure elasticsearch cluster setup CentOS/RHEL 7/8
#2-ELK Stack: Enable https with ssl/tls & secure elasticsearch cluster
#3-ELK Stack: Configure kibana 7.x with SSL/TLS encryption
#4-ELK Stack: Configure metricbeat 7.x to monitor elasticsearch cluster
Conclusion
We have successfully set up and install ELK stack on Rocky Linux 8 for monitoring. This tool can be used to monitor many services as long as you use the right beat. The available beats include filebeat, metricbeat, winbeat, etc.