Install ELK on linux

Before Start

Make sure the server has internet access or you will have to download and upload packages manually. If the server doesn’t, I recommend CCProxy to grant temporary internet access.

Install JDK

1
2
wget -c --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u161-b12/2f38c3b165be4555a1fa6e98c45e0808/jdk-8u161-linux-x64.rpm
rpm -ivh jdk-8u161-linux-x64.rpm

Elasticsearch

  1. Download and install

    1
    2
    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.3.rpm
    rpm -ivh elasticsearch-6.2.3.rpm
  2. Start service

    1
    2
    3
    4
    5
    6
    7
    # Auto start elasticsearch when computer start
    systemctl daemon-reload
    systemctl enable elasticsearch.service

    # start service
    systemctl start elasticsearch
    systemctl status elasticsearch
  3. Verify Elastic search is running

    1
    2
    3
    4
    curl http://localhost:9200

    # If not working, you could try reboot
    reboot -r

    You could check log files under /var/log/elasticsearch/

  4. Reference : https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html

Kibana

  1. Download and install

    1
    2
    wget https://artifacts.elastic.co/downloads/kibana/kibana-6.2.3-x86_64.rpm
    rpm -ivh kibana-6.2.3-x86_64.rpm
  2. Modify kibana config

    1
    2
    3
    4
    5
    vi /etc/kibana/kibana.yml
    # Kibana port
    server.port: 5601
    # Bind to all ip address
    server.host: "0.0.0.0"
  3. Start service

    1
    2
    3
    4
    systemctl daemon-reload
    systemctl enable kibana.service
    systemctl start kibana
    systemctl status kibana
  4. Verify installation

    1
    curl localhost:5601

    You can check log file under /var/log/kibana/

  5. Reference : https://www.elastic.co/guide/en/kibana/current/rpm.html

Logstash

  1. Download and install

    1
    2
    wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.3.rpm
    rpm -ivh logstash-6.2.3.rpm
  2. Modify logstash.yml to enable auto reload config

    1
    2
    3
    vi /etc/logstash/logstash.yml
    config.reload.automatic: true
    config.reload.interval: 3s
  3. Add first logstash config

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    cd /etc/logstash/conf.d/
    cat > default.conf
    input {
    beats {
    port => 5044
    }
    }
    output {
    elasticsearch {
    hosts => ["http://localhost:9200"]
    }
    }
  4. Start service

    1
    2
    3
    4
    systemctl daemon-reload
    systemctl enable logstash.service
    systemctl start logstash
    systemctl status logstash
  5. Verify installation

    1
    telnet 127.0.0.1 5044

    You could check log file under /var/log/logstash/

  6. Reference : https://www.elastic.co/guide/en/logstash/current/installing-logstash.html