Install ELK stack on Rocky Linux 8 [Step-by-Step]


ELK Stack

Install ELK Stack - Introduction

Welcome to this guide where we shall demonstrate how to deploy ELK stack on Rocky Linux 8. ELK is an acronym for three open source projects that came together to build a full stack of the monitoring solution.

The project comprises of the following elements:

  1. Elasticsearch - This is an analytics engine that is used to analyze logs.
  2. Logstash - This is the tool used for processing of the logs and aligning them so that they can be indexed by Elasticsearch.
  3. Kibana - This is the web interface that functions as the front-end of the entire stack. You can gain access to dashboards where you can visualize metrics indexed by the Elasticsearch engine.

We also have Beats that are responsible for shipping different kinds of logs and metrics to the Elasticsearch engine. Some of them are:

  • Filebeat
  • Metricbeat
  • Winbeat

 

Lab Environment and Pre-requisites

This guide will discuss how to set up an ELK stack on Rocky Linux 8. Below are some of the minimal requirements that are needed before you can set up your stack.

  1. Rocky Linux 8 instance
  2. OpenJDK
  3. 2 CPU cores
  4. 4 GB RAM
  5. root user level access

 

Step-1: Install Elasticsearch

Follow the steps below to install ELK on Rocky Linux 8.

 

Install OpenJDK

Install Java Development Kit on Rocky Linux 8.

sudo dnf -y install java-openjdk-devel java-openjdk

 

Install Elasticsearch 7.x

To install Elasticsearch, we need to configure the repository on Rocky Linux 8. Run the command below to achieve that:

cat <<EOF | sudo tee /etc/dnf.repos.d/elasticsearch.repo
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/dnf
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Import the GPG key for Elasticsearch

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Update system cache:

sudo dnf clean all
sudo dnf makecache

Then install Elasticsearch 7.x on Rocky Linux 8:

[vic@rocky ~]$ sudo dnf -y install elasticsearch

Veriy the installed version of Elasticsearch:

[vic@rocky ~]$ sudo rpm -qi elasticsearch

Sample Output:
Install ELK stack on Rocky Linux 8 [Step-by-Step]

 

 

Configure Elasticsearch

Modify the cluster name for Elasticsearch. Also make sure you uncomment the network.host option and add the IP of your Elasticsearch host for port binding only if you are setting up a multi-node cluster.

$ sudo vim /etc/elasticsearch/elasticsearch.yml
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: my-elk-cluster
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 172.29.10.15
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.

Start and enable Elasticsearch service through systemd

sudo systemctl enable --now elasticsearch.service 

Verify that the service has started successfully

[vic@rocky ~]$ systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-09-09 21:38:27 EAT; 7s ago
     Docs: https://www.elastic.co
 Main PID: 52063 (java)
    Tasks: 66 (limit: 6001)
   Memory: 642.5M
   CGroup: /system.slice/elasticsearch.service
           ├─52063 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encodi>
           └─52228 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Sep 09 21:37:59 rocky systemd[1]: Starting Elasticsearch...
Sep 09 21:38:27 rocky systemd[1]: Started Elasticsearch.
lines 1-13/13 (END)

Confirm that the service is up and reachable through cURL.

[vic@rocky ~]$ curl http://127.0.0.1:9200

Sample Output:

Install ELK stack on Rocky Linux 8 [Step-by-Step]

You can also check if indexing is working by running a HTTP GET command as shown below:

[vic@rocky ~]$ curl -X GET "localhost:9200"

Sample Output:

Install ELK stack on Rocky Linux 8 [Step-by-Step]

 

Step-2: Install and Configure Logstash

The next step to install ELK Stack is to install Logstash on Rocky Linux 8. Logstash project is available at the Elasticsearch repository. This means that we wont be required to configure the repo again. We shall just download and install directly using the YUM/DNF package managers.

[vic@rocky ~]$ sudo dnf install logstash -y

After a successful installation, we need to edit the configuration file for Logstash to add the Input and output variables as shown below. We will also be required to point the Logstash application to the Elasticsearch application that is running on the same host on port 9200. Note that you can also run Logstash on a different server from Elasticsearch's.

$ sudo vi /etc/logstash/conf.d/logstash.conf
input {
  beats {
    port => 5044
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

Start and enable the Logstash service:

sudo systemctl enable --now logstash

Check and verify the status of the Logstash service:

[vic@rocky ~]$ sudo systemctl status  logstash
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-09-09 21:45:35 EAT; 22s ago
 Main PID: 52516 (java)
    Tasks: 14 (limit: 6001)
   Memory: 384.9M
   CGroup: /system.slice/logstash.service
           └─52516 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headless=true -Dfile.encoding=UTF-8 >

Sep 09 21:45:35 rocky systemd[1]: Started logstash.
Sep 09 21:45:35 rocky logstash[52516]: Using bundled JDK: /usr/share/logstash/jdk
Sep 09 21:45:36 rocky logstash[52516]: OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sep 09 21:45:47 rocky logstash[52516]: /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/bundler-1.17.3/lib/bundler/rubygems_integration.rb:200: warning: constant Gem::ConfigMap is deprecated

 

Step-3: Install and Configure Kibana

After a successful setup of the two projects above, the next step to install ELK Stack is now to set up the dashboard, Kibana.

$ sudo dnf -y install kibana

Configure Port binding of Kibana to use any IP or a specific IP. In this guide, I shall configure Kibana to liesten to any IP.

$ sudo vim /etc/kibana/kibana.yml
server.host: "0.0.0.0"
elasticsearch.url: "http://localhost:9200"

Start and enable Kibana.

sudo systemctl enable --now kibana

Verify the service status:

[vic@rocky ~]$ systemctl status kibana
● kibana.service - Kibana
   Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2021-09-09 22:09:11 EAT; 1min 31s ago
     Docs: https://www.elastic.co
 Main PID: 52892 (node)
    Tasks: 18 (limit: 6001)
   Memory: 189.0M
   CGroup: /system.slice/kibana.service
           ├─52892 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid
           └─52904 /usr/share/kibana/node/bin/node --preserve-symlinks-main --preserve-symlinks /usr/share/kibana/src/cli/dist --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid

Sep 09 22:09:11 rocky systemd[1]: Started Kibana.

Allow Kibana port through the firewall.

sudo firewall-cmd --permanent --add-port=5601/tcp
sudo firewall-cmd --reload

 

Step-4: Shipping Logs to ELK stack using Filebeat

In this guide after we install ELK Stack, we shall discuss how to ship logs to ELK stack using Filebeat. To install Filebeat on Rocky Linux 8, run the command below:

sudo dnf install filebeat

Filebeat comprises of modules that are used to ship different types of logs on Linux systems. You can list the available modules and enable them according to what you wish to enable.

sudo filebeat modules list

To enable a module, run the command below specifying the module you wish to enable:

sudo filebeat modules enable <module>

Initialize filebeat with the command below:

[vic@rocky ~]$ sudo filebeat modules enable system
Enabled system

[root@rocky ~]# sudo filebeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite: true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/machine-learning/current/index.html
Loaded machine learning job configurations
Loaded Ingest pipelines

Run the command below to load the filebeat module and connect to the ELK instance:

[vic@rocky ~]$ filebeat -e
2021-09-09T22:44:15.393+0300	INFO	instance/beat.go:665	Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2021-09-09T22:44:15.395+0300	INFO	instance/beat.go:673	Beat ID: bfa28747-655b-4753-87d2-ef5adcb5d7ab
2021-09-09T22:44:15.402+0300	INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
....
2021-09-09T22:44:18.917+0300	INFO	[esclientleg]	eslegclient/connection.go:273	Attempting to connect to Elasticsearch version 7.14.1
2021-09-09T22:44:19.090+0300	INFO	[esclientleg]	eslegclient/connection.go:273	Attempting to connect to Elasticsearch version 7.14.1
2021-09-09T22:44:19.202+0300	INFO	[index-management]	idxmgmt/std.go:261	Auto ILM enable success.
2021-09-09T22:44:19.603+0300	INFO	[index-management.ilm]	ilm/std.go:160	ILM policy filebeat exists already.
2021-09-09T22:44:19.617+0300	INFO	[index-management]	idxmgmt/std.go:401	Set setup.template.name to '{filebeat-7.14.1 {now/d}-000001}' as ILM is enabled.
2021-09-09T22:44:19.703+0300	INFO	template/load.go:111	Template "filebeat-7.14.1" already exists and will not be overwritten.
2021-09-09T22:44:19.703+0300	INFO	[index-management]	idxmgmt/std.go:297	Loaded index template.
2021-09-09T22:44:19.798+0300	INFO	[index-management.ilm]	ilm/std.go:121	Index Alias filebeat-7.14.1 exists already.
2021-09-09T22:44:19.811+0300	INFO	[publisher_pipeline_output]	pipeline/output.go:151	Connection to backoff(elasticsearch(http://localhost:9200)) established

Start Filebeat service:

sudo systemctl start filebeat

 

Step-5: Access ELK dashboard through Kibana

Access the ELK dashboard on your web browser at http://server-IP:5601

Step by Step install ELk Stack on Rocky Linux 8

 

You can now visualize system logs for the modules you enabled using Filebeat from the dashboard.

Step by Step install ELk Stack on Rocky Linux 8

 

What's Next

#1-ELK Stack: Configure elasticsearch cluster setup CentOS/RHEL 7/8
#2-ELK Stack: Enable https with ssl/tls & secure elasticsearch cluster
#3-ELK Stack: Configure kibana 7.x with SSL/TLS encryption
#4-ELK Stack: Configure metricbeat 7.x to monitor elasticsearch cluster

 

Conclusion

We have successfully set up and install ELK stack on Rocky Linux 8 for monitoring. This tool can be used to monitor many services as long as you use the right beat. The available beats include filebeat, metricbeat, winbeat, etc.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment