Three softwares – Elasticsearch, Logstash, and Kibana better known before as ELK Stack. Here is How to Install Elastic Stack on Ubuntu 16.04, CentOS 7 on Single Cloud Server Instance For Server Log Analysis, Big Data Processing. In this tutorial, we will show how to installa of the mentioned softwares on Ubuntu 16.04 and CentOS 7. Additionally we will show you to configure, visualize the syslogs. The server will run Nginx web server.
Why Install Elastic Stack Instead of Apache Hadoop or Spark With Elastic Search?
Previously we discussed how to install Apache Hadoop, how to install Apache Spark and how to install fluentd on single cloud server instance. This guide to install Elastic Stack is not on Apache Hadoop as not all users are used to handle real Big Data software. In separate guide we will show how to integrate Elasticsearch with Apache Hadoop. This kind of setups and examples are practical usage of the software collections.
We are showing how to install Elastic Stack on Ubuntu and CentOS in this easy manner so that any level go users can install and use for basic log analysis purpose without going in to the fuss of Big Data softwares.
---
Why Install Elastic Stack on Ubuntu 16.04, CentOS 7 Single Cloud Server?
You can install Elastic Stack on same dedicated server where your web software or database software is/are running. But Cloud Server can be cheap like VPSDime 6GB OpenVZ instance costs only $7/month. Such resources are great for the small to medium business owners and webmasters. ES crash on OpenVZ not uncommon but a workaround, low load average does make it working. We are installing on a single cloud server instance for cost saving and isolation purpose. We suggest to use a server with 4GB of RAM for running Elastic Stack. 1GB RAM instance can run it somehow, 1GB RAM VMWare Cloud Server from Aruba Cloud will cost just 1 Euro per month.
The individual components does these works :
- Logstash collects, enrich and send data it to Elasticsearch
- ElasticSearch stores incoming logs from Logstash and provides the ability to search in real time.
- Kibana provides the way of visualization of logs. There are other softwares as alternative but Kibana is commonly used.
- Beats/Filebeat/fluentd when installed on client, sends logs to Logstash.
- Nginx works as web server, reverse proxy.
Steps to Install Elastic Stack on Ubuntu 16.04, CentOS 7 Single Cloud Server
Step 1 : SELinux and Install Nginx
First we need to make sure that SELINUX is disabled. Open :
1 | nano /etc/sysconfig/selinux |
Change SELINUX value :
1 | SELINUX=disabled |
then reboot the server :
1 | reboot |
SSH to the server again and run this command to check the SELinux state :
1 | getenforce |
Install Nginx :
1 2 3 4 5 | # ubuntu apt install nginx # centos yum -y install epel-release yum install nginx |
Make sure to allow traffic through TCP port 9200, port 5044, port 80, port 443 in your firewall.
Step 2 : Install Oracle Java
For Ubuntu 16.04 :
1 2 3 | sudo add-apt-repository -y ppa:webupd8team/java sudo apt update sudo apt install oracle-java8-installer |
For CentOS 7 :
1 2 3 | cd ~ wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http:%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u77-b02/jdk-8u77-linux-x64.rpm" rpm -ivh jdk-8u77-linux-x64.rpm |
For both of them :
Check the version of Java :
1 | java -version |
Example output :
1 2 3 4 5 | java -version java version "1.8.0_11" Java(TM) SE Runtime Environment (build 1.8.0_11-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.11-b03, mixed mode) |
Step 3 : Install ElasticSearch
For Ubuntu 16.04 :
1 2 3 4 5 | cd ~ wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb http://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list sudo apt update sudo apt install elasticsearch |
If you need to restrict access to Elasticsearch instance at port 9200, do this:
1 | nano /etc/elasticsearch/elasticsearch.yml |
Edit :
1 | network.host: localhost |
Save, exit, start Elasticsearch, configure to start Elasticsearch on boot up::
1 2 3 4 5 6 | sudo systemctl restart elasticsearch sudo systemctl daemon-reload sudo systemctl enable elasticsearch # foolproof sudo systemctl enable elasticsearch.service sudo systemctl start elasticsearch.service |
Test elasticsearch :
1 | curl localhost:9200 |
For CentOS 7 :
1 2 3 4 5 6 | cd ~ rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.1.1.rpm rpm -ivh elasticsearch-5.1.1.rpm cd /etc/elasticsearch/ nano elasticsearch.yml |
If you need to restrict access to Elasticsearch instance at port 9200, do this:
1 | nano /etc/elasticsearch/elasticsearch.yml |
Edit :
1 2 3 | bootstrap.memory_lock: true network.host: localhost http.port: 9200 |
Save, exit. This disables memory swapping for Elasticsearch :
1 | nano /usr/lib/systemd/system/elasticsearch.service |
Uncomment :
1 | LimitMEMLOCK=infinity |
Save and exit. Edit :
1 | nano /etc/sysconfig/elasticsearch |
1 | MAX_LOCKED_MEMORY=unlimited |
Save and exit. To start Elasticsearch, configure to start Elasticsearch on boot up::
1 2 3 | sudo systemctl daemon-reload sudo systemctl enable elasticsearch sudo systemctl start elasticsearch |
Test :
1 | curl -XGET 'localhost:9200/?pretty' |
Step 4 : Install Kibana
For Ubuntu 16.04 :
1 2 | wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - echo "deb http://packages.elastic.co/kibana/4.5/debian stable main" | sudo tee -a /etc/apt/sources.list |
Install the Kibana using the following command.
1 2 | sudo apt update sudo apt install kibana |
Start and enable kibana on system startup :
1 2 | sudo systemctl start kibana sudo systemctl enable kibana |
Access the Kibana using the following URL :
1 | http://your-ip-address:5601/ |
For CentOS 7 :
1 2 | wget https://artifacts.elastic.co/downloads/kibana/kibana-5.1.1-x86_64.rpm rpm -ivh kibana-5.1.1-x86_64.rpm |
Now edit the Kibana configuration file :
1 | nano /etc/kibana/kibana.yml |
Uncomment the configuration lines for server.port, server.host and elasticsearch.url.
1 2 3 | server.port: 5601 server.host: "localhost" elasticsearch.url: "http://localhost:9200" |
Save and exit. Add Kibana to run at boot and start it :
1 2 | sudo systemctl enable kibana sudo systemctl start kibana |
Kibana will run on port 5601 as node application.
For both of them :
Now configure with Nginx :
1 | nano /etc/nginx/sites-available/default |
This is typical example of nginx config:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | server { listen 80; server_name example.com; # auth_basic "Restricted Access"; # auth_basic_user_file /etc/nginx/htpasswd.users; location / { proxy_pass http://localhost:5601; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } |
Save and exit. Test restart Nginx :
1 2 | nginx -t sudo systemctl restart nginx |
Step 5 : Install Logtash
For Ubuntu 16.04 :
1 2 3 | echo "deb https://packages.elastic.co/logstash/2.3/debian stable main" | sudo tee -a /etc/apt/sources.list sudo apt-get update sudo apt-get install logstash |
For CentOS 7 :
Open :
1 | nano /etc/yum.repos.d/logstash.repo |
add :
1 2 3 4 5 6 | [logstash] name=Logstash baseurl=http://packages.elasticsearch.org/logstash/2.2/centos gpgcheck=1 gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch enabled=1 |
Install the Logstash package:
1 | yum install logstash |
For Both of them :
We are showing for subdomain/domain installation, which is easy :
1 | nano /etc/hosts |
Add entry with real values :
1 | 10.11.12.13 server.your.local |
Then run after changing “server.your.local” :
1 2 | cd /etc/ssl/ openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout logstash-forwarder.key -out logstash-forwarder.crt -subj /CN=server.your.local |
If you want to use IP address then :
1 | nano /etc/ssl/openssl.cnf |
Edit to your IP :
1 | subjectAltName = IP:10.11.12.13 |
1 2 | cd /etc/ssl/ openssl req -x509 -days 365 -batch -nodes -newkey rsa:2048 -keyout logstash-forwarder.key -out logstash-forwarder.crt |
Logstash configuration found at /etc/logstash/conf.d/. logstash configuration file consists of 3 parts – input, filter, and output. It is better to use a single file for these three.
1 | nano /etc/logstash/conf.d/logstash.conf |
Keep in mind to change /etc/ssl/logstash-forwarder.crt :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | input { beats { port => 5044 ssl => true ssl_certificate => "/etc/ssl/logstash-forwarder.crt" ssl_key => "/etc/ssl/logstash-forwarder.key" congestion_threshold => "40" } } filter { if [type] == "syslog" { grok { match => { "message" => "%{SYSLOGLINE}" } } date { match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } } } output { elasticsearch { hosts => localhost index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" } stdout { codec => rubydebug } } |
Save and exit. Now run :
1 2 3 | sudo systemctl daemon-reload sudo systemctl start logstash sudo systemctl enable logstash |
You can run cat :
1 | sudo cat /var/log/logstash/logstash.log |
Step 6 : Install Filebeat
There are four beats clients available. Packetbeat – Analyzes network packet data, Filebeat gives insight into log data, Topbeat gives insights from infrastructure data, Metricbeat delivers metrics to Elasticsearch.
For Ubuntu 16.04 :
1 2 3 | echo "deb https://packages.elastic.co/beats/apt stable main" | sudo tee -a /etc/apt/sources.list.d/beats.list sudo apt-get update sudo apt-get install filebeat |
For CentOS 7 :
1 2 3 | rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.1.1-x86_64.rpm rpm -ivh filebeat-5.1.1-x86_64.rpm |
For both :
Filebeat uses SSL certificate for validating logstash server identity, so we need to copy the logstash-forwarder.crt from the logstash server to the client :
1 | scp -pr root@server.your.local:/etc/ssl/logstash-forwarder.crt /etc/ssl |
Now :
1 2 | cd /etc/filebeat/ nano filebeat.yml |
Add two files ‘/var/log/secure’ for ssh activity and ‘/var/log/messages’ for the server log :
1 2 3 | paths: - /var/log/secure - /var/log/messages |
Also :
1 2 | input_type: log document_type: syslog |
Under output uncomment line with logstash, edit the IP address of ELK server and port where Logstash is listening hosts, make sure the path to the certificate points to the actual file. Thereafter restart :
1 | systemctl restart filebeat |
Now go to the IP address where we can get Kibana. Installing Elastic Stack is difficult work.
Fully optional testing :
For TESTING purpose, you can download sample Kibana dashboards and Beats index patterns :
1 2 3 4 | curl -L -O https://download.elastic.co/beats/dashboards/beats-dashboards-1.1.0.zip unzip beats-dashboards-1.1.0.zip cd beats-dashboards-1.1.0 ./load.sh |
Download the filebeat index template
1 | curl -O https://gist.githubusercontent.com/thisismitch/3429023e8438cc25b86c/ raw/d8c479e2a1adcea8b1fe86570e42abab0f10f364/filebeat-index-template.json |
Run the following CURL command :
1 | curl -XPUT 'http://localhost:9200/_template/filebeat?pretty' -d@filebeat-index-template.json |
