kaustubh yerkade

Posted on Jan 21

Test

#architecture #devops #linux #tutorial

Ps - this is still in progress

🧱 OFFLINE ELK 9.2 ARCHITECTURE (RPM BASED)

Server Role RPMs needed

es01 Elasticsearch elasticsearch-9.2.x-x86_64.rpm
ls01 Logstash logstash-9.2.x-x86_64.rpm
kb01 Kibana kibana-9.2.x-x86_64.rpm

🔴 STEP 1 — COMMON OS PREP (ALL 3 SERVERS)

1.1 Login as root

sudo -i

1.2 Set hostname

hostnamectl set-hostname es01 # ES server
hostnamectl set-hostname ls01 # Logstash server
hostnamectl set-hostname kb01 # Kibana server

Re-login after this.

1.3 /etc/hosts (MANDATORY)

vi /etc/hosts

10.10.10.11 es01
10.10.10.12 ls01
10.10.10.13 kb01

1.4 Disable swap

swapoff -a
sed -i '/swap/d' /etc/fstab

1.5 Kernel tuning

cat </etc/sysctl.d/99-elastic.conf
vm.max_map_count=262144
fs.file-max=2097152
EOF

sysctl --system

Verify:

sysctl vm.max_map_count

1.6 Firewall

Elasticsearch

firewall-cmd --add-port=9200/tcp --permanent
firewall-cmd --add-port=9300/tcp --permanent

Logstash

firewall-cmd --add-port=5044/tcp --permanent

Kibana

firewall-cmd --add-port=5601/tcp --permanent

firewall-cmd --reload

🔴 STEP 2 — INSTALL ELASTICSEARCH (RPM ONLY) — es01

2.1 Copy RPM

scp elasticsearch-9.2.*.rpm root@es01:/opt/

2.2 Install RPM (NO REPO)

cd /opt
dnf localinstall elasticsearch-9.2.*.rpm -y

✔ User elasticsearch is created automatically
✔ Systemd service is created

2.3 Create cert directory

mkdir -p /etc/elasticsearch/certs
chown elasticsearch:elasticsearch /etc/elasticsearch/certs
chmod 750 /etc/elasticsearch/certs

2.4 Generate CA (OFFLINE)

/usr/share/elasticsearch/bin/elasticsearch-certutil ca

Press ENTER → creates:

elastic-stack-ca.p12

Move:

mv elastic-stack-ca.p12 /etc/elasticsearch/certs/

2.5 Generate HTTP cert

/usr/share/elasticsearch/bin/elasticsearch-certutil http

Answer EXACTLY:

CSR? no
Use existing CA yes
CA path /etc/elasticsearch/certs/elastic-stack-ca.p12
Validity 3650
Hostname es01
IP 10.10.10.11

Extract:

unzip elasticsearch-ssl-http.zip
cp elasticsearch/http.p12 /etc/elasticsearch/certs/

2.6 Generate transport cert

/usr/share/elasticsearch/bin/elasticsearch-certutil cert \
--ca /etc/elasticsearch/certs/elastic-stack-ca.p12

mv elastic-certificates.p12 /etc/elasticsearch/certs/transport.p12

Permissions:

chown elasticsearch:elasticsearch /etc/elasticsearch/certs/*
chmod 600 /etc/elasticsearch/certs/*

2.7 Configure Elasticsearch

vi /etc/elasticsearch/elasticsearch.yml

cluster.name: prod-cluster
node.name: es01

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node

xpack.security.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/http.p12

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/transport.p12
xpack.security.transport.ssl.verification_mode: certificate

2.8 Start Elasticsearch

systemctl daemon-reexec
systemctl enable elasticsearch
systemctl start elasticsearch

2.9 Set passwords

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system

✔ SAVE THEM

2.10 Verify ES

curl -k -u elastic https://es01:9200

🔴 STEP 3 — INSTALL LOGSTASH (RPM ONLY) — ls01

3.1 Copy RPM

scp logstash-9.2.*.rpm root@ls01:/opt/

3.2 Install

cd /opt
dnf localinstall logstash-9.2.*.rpm -y

3.3 Copy CA from ES

mkdir -p /etc/logstash/certs
scp root@es01:/etc/elasticsearch/certs/elastic-stack-ca.p12 /etc/logstash/certs/

3.4 Logstash keystore

/usr/share/logstash/bin/logstash-keystore create
/usr/share/logstash/bin/logstash-keystore add ES_PWD

Paste elastic password

3.5 Logstash pipeline

vi /etc/logstash/conf.d/beats.conf

input {
beats {
port => 5044
}
}

output {
elasticsearch {
hosts => ["https://es01:9200"]
user => "elastic"
password => "${ES_PWD}"
cacert => "/etc/logstash/certs/elastic-stack-ca.p12"
}
}

3.6 Start Logstash

systemctl enable logstash
systemctl start logstash

🔴 STEP 4 — INSTALL KIBANA (RPM ONLY) — kb01

4.1 Copy RPM

scp kibana-9.2.*.rpm root@kb01:/opt/

4.2 Install

cd /opt
dnf localinstall kibana-9.2.*.rpm -y

4.3 Copy CA

scp root@es01:/etc/elasticsearch/certs/elastic-stack-ca.p12 /etc/kibana/

4.4 Configure Kibana

vi /etc/kibana/kibana.yml

server.host: "0.0.0.0"
server.port: 5601

elasticsearch.hosts: ["https://es01:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "PASTE_PASSWORD"

elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elastic-stack-ca.p12"]

4.5 Start Kibana

systemctl enable kibana
systemctl start kibana

Access:

https://kb01:5601

🔴 STEP 5 — FINAL CHECKS

Component Command

ES curl -k -u elastic https://es01:9200
LS `ss -lntp
KB Browser UI
Security HTTPS + login

THIS IS THE CORRECT WAY FOR RPM-ONLY INSTALLS

No repos
No internet
No missing steps
No shortcuts

If you want next (step-by-step again):

Filebeat on IBM AIX

Mutual TLS

HA ES (3 nodes)

SELinux enforcement

Hardening checklist

Please let me know in the comments.

DEV Community

Test

Ps - this is still in progress

Elasticsearch

Logstash

Kibana

Top comments (0)