Introduction
Elasticsearch, Logstash, and Kibana are the three open-source tools that make up the ELK Stack.
For the purpose of identifying issues with servers or applications, the ELK stack offers centralized logging. It enables comprehensive log searches in one location.
Elasticsearch
It was created using Java. An open source search engine. It uses JSON format to get data, search and also save it. It comes in a HTTP dashboard web interface (Kibana).
Logstash
An open-source tool to manage logs and different events. It saves log data in JSON format then saves it in Elasticsearch.
Kibana
An open-source tool that let's you visualize the Elaticsearch data in the format of a dashboard.
Beats
A data transfer service which can be installed on the Client and send a large amount of data from the Client to the Logstash & Elasticsearch server.
ELK Stack Architecture
A simple ELK Stack looks like
With Beats it looks like
If we are dealing with very large amounts of data, we can add kafka
and for security we can include Nginx
as well
Setting up the ELK Stack
As it is created from Java, we will need a JVM environment to run ELK. (4GB+ RAM required)
π‘ Selinux can interrupt with retrieving the logs using ELK Stack so we will be disabling that
vi /etc/sysconfig/selinux
setenforce 0
reboot
getenforce
Disabled
Step 1 π JDK Installation
As Elasticsearch is based on Java, we need the JDK.
rpm -qa | grep java
We can search for java packages and if we aren't able to find any, we can just install it using yum
yum -y install java-1.8 open-jdk*
After the installation, we can check the java version
java -version
openjdk version "1.8.0_362"
Step 2 π Elasticsearch Installation
We will first create a directory named ELK
and work inside there
mkdir ./ELK
cd ELK
Now, we need to download the Elasticsearch package
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.1-x86_64.rpm
π‘ If you don't have wget
installed, you can install it first using yum
Importing the GPG Key
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
π‘ The GPG Key ensures that the RPM package file was not altered
We can now install the package that we downloaded
rpm -ivh elasticsearch-7.6.1-x86_64.rpm
rpm -qa | grep elasticsearch
elasticsearch-7.6.1-1.x86_64
We have to edit some configurations by accessing the elasticsearch
config files and its yml
file
vi /etc/elasticsearch/elasticsearch.yml
43 bootstrap.memory_lock: true
55 network.host: localhost
59 http.port: 9200
vi /usr/lib/systemd/system/elasticsearch.service
33 # Memory mlockall
34 LimitMEMLOCK=infinity
vi /etc/sysconfig/elasticsearch
46 MAX_LOCKED_MEMORY=unlimited
π‘ As I am setting up the Elasticsearch on the same system as the Logstash, I have set the network host as the localhost
Also enabling the mlockall
function to change the memory usage setting for all operations to use physical memory
The mlockall
locks all pages mapped to the address of the call process. It is sometimes used to ensure that the Java virtual machine (JVM) running Elasticsearch does not run out of memory, as this can cause the JVM to crash.
We will have to reload the daemon to make the mlockall
setting configured correctly
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
Enabled and started the elasticsearch
daemon as well
To confirm JAVA process is running on 9200 port
netstat -antp | grep 9200
Next, we will use curl
to confirm mlockall
status
curl -XGET 'localhost:9200/_nodes?filter_path=**.mlockall&pretty'
{
"nodes" : {
"1JrdEndhRaS5Le2JUxiDsw" : {
"process" : {
"mlockall" : true
}
}
}
}
Also, we can confirm if the elasticsearch
is running or not
curl -XGET 'localhost:9200/?pretty'
Step 3 π Nginx & Kibana Installation
Downloading the kibana
rpm package
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.6.1-x86_64.rpm
Installing the Kibana package
rpm -ivh kibana-7.6.1-x86_64.rpm
Confirming if the package was successfully installed
rpm -qa | grep kibana
kibana-7.6.1-1.x86_64
We will edit the configuration files for kibana now
vi /etc/kibana/kibana.yml
2 server.port: 5601
7 server.host: "0.0.0.0"
28 elasticsearch.hosts: ["http://localhost:9200"]
π‘ Proceeded with all-network setup to set up the production port and allow external access (only certain hosts can be specified)
Enabling and starting the kibana
daemon
systemctl enable kibana
systemctl start kibana
Confirming kibana service status
netstat -antp | grep 5601
tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 8691/node
π‘ It will take some time for the tcp LISTEN node to show
Now we have to install Nginx
We will be using the epel
repository as well so
yum -y install epel-release
yum -y install nginx httpd-tools
The Kibana Service displays information on the screen through the Reverse WEB Proxy Server. That is why we will configure the Reverse WEB Proxy Server with the Nginx Web Server
π‘ A **forward proxy* sits in front of clients and a reverse proxy sits in front of servers. Both types of proxies serve as intermediaries between clients and servers*
Editing some entries in the configuration file for Nginx
vi /etc/nginx/nginx.conf
38 server {
39 listen 80 default_server;
40 listen [::]:80 default_server;
41 server_name _;
42 root /usr/share/nginx/html;
43
44 # Load configuration files for the default server block.
45 include /etc/nginx/default.d/*.conf;
46
47 location / {
48 }
49
50 error_page 404 /404.html;
51 location = /40x.html {
52 }
53
54 error_page 500 502 503 504 /50x.html;
55 location = /50x.html {
56 }
57 }
We have to delete the above lines from the Nginx config file as we will be adding a virtual host
Including the following in kibana configuration file
server {
listen 80;
server_name example.com;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.kibana-user;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
This will set up virtual host for Reverse Proxy Server operation
Next, we have to set login credentials for kibana access user
htpasswd -c /etc/nginx/.kibana-user Admin
New password:
Re-type new password:
Adding password for user Admin
Verifying Nginx settings
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Enabling and starting nginx. We can also confirm if its working
systemctl enable nginx
systemctl start nginx
netstat -antp | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8889/nginx: master
Step 4 π Logstash Installation
Downloading and installing the rpm package
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.6.1.rpm
rpm -ivh logstash-7.6.1.rpm
rpm -qa | grep logstash
logstash-7.6.1-1.noarch
Now, we need to edit the openssl config file
226 [ v3_ca ]
227 # Server IP Address
228 subjectAltName = IP: <Your-IP-Address>
π‘ When sending log information using SSL/TLS, it is recommended to encrypt and transmit log information
Issuing the openssl certificate
openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/tls/private/logstash-forwarder.key -out /etc/pki/tls/certs/logstash-forwarder.crt
After generating and verifying the public key certificate and private key used in SSL/TLS, we generated the public key certificate and private key by referring to the SSL/TLS configuration file
ls -ld /etc/pki/tls/certs/logstash-forwarder.crt
-rw-r--r-- 1 root root 1241 2μ 13 13:09 /etc/pki/tls/certs/logstash-forwarder.crt
ls -ld /etc/pki/tls/private/logstash-forwarder.key
-rw-r--r-- 1 root root 1704 2μ 13 13:09 /etc/pki/tls/private/logstash-forwarder.key
Specifying expiration date and RSA Bit value for each key through additional options
# Using Filebeat to determine which format to accept data sent from the Client
input {
beats {
client_inactivity_timeout => 600
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
# Logstash supports various Filter Plugins (mainly using "grok" Filter Plugins)
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?: \[%{POSINT:syslog_pid}\])?:
%{GREEDYDATA:syslog_message}" }
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
# Proceeding with settings to transfer data collected by Logstash to Elasticsearch
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "syslog-%{+YYYY.MM.dd}"
}
}
Finally, we just need to enable and start the logstash
systemctl enable logstash
systemctl start logstash
And also, adding 5044 port TCP in the firewall along with the http
protocol
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-port=5044/tcp
firewall-cmd --reload
We can check the logstash if its working or not
netstat -antp | grep 5044
tcp6 0 0 :::5044 :::* LISTEN 12868/java
π‘ It will take some time for logstash to start working
Step 5 π Logstash Client Filebeat Installation
We need the tls certificate inside the Logstash Client, so we will copy the public key certificate from the ELK Server to the Client Linux using scp
# The Client with IP (192.168.1.129)
scp root@192.168.1.128:/etc/pki/tls/certs/logstash-forwarder.crt ./
root@192.168.1.128's password:
logstash-forwarder.crt 100% 1241 1.0MB/s 00:00
# Moving the `.crt` file to the `/etc/pki/tls/certs` directory
mv ./logstash-forwarder.crt /etc/pki/tls/certs/
Again importing the GPG
Key for elasticsearch and downloading the filebeat rpm
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.1-x86_64.rpm
# Installing the filebeat package
rpm -ivh filebeat-7.6.1-x86_64.rpm
rpm -qa | grep filebeat
filebeat-7.6.1-1.x86_64
As usual, we have to edit some entries in the config file
vi /etc/filebeat/filebeat.yml
# Enabling the Filebeat and also declaring what logs we want to see
24 enabled: true
27 paths:
28 - /var/log/*.log
29 - /var/log/secure
30 - /var/log/messages
# Commenting the Elasticsearch output as we will be getting Logstash output
150 #-------------------------- Elasticsearch output ------------------------------
151 #output.elasticsearch:
152 # Array of hosts to connect to.
153 #hosts: ["localhost:9200"]
# Uncommenting the logstash output + declaring the ELK Host IP and the ssl certificate location
163 #----------------------------- Logstash output --------------------------------
164 output.logstash:
165 # The Logstash hosts
166 hosts: ["<ELK HOST IP>:5044"]
167 ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
168 bulk_max_size: 1024 # Specifying the maximum number of events that can be sent at a time
We now just have to enable and start the filebeat daemon
systemctl enable filebeat
systemctl start filebeat
systemctl status filebeat
β filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-02-13 14:43:53 KST; 2min 49s ago
If we check the connection from the ELK Host
netstat -antp | grep 5044
tcp6 0 0 :::5044 :::* LISTEN 17021/java
tcp6 0 0 <ELK HOST>:5044 <Client>:35030 ESTABLISHED 17021/java
Now from your browser, you can open the ELK Host server by using its IP address:
Using the username and password that we set before
Once we are in, we will be able to see this screen
We will click on "Try our sample data" and navigate to
We just need to Define the index pattern
And then configure the settings
Finally, we just need to navigate to the "Discover" tab to see our logs
β We can always filter logs to meet our needs. I demonstrated on how to set up ELK Stack on your Linux Server.
Top comments (1)
very comprehencive article @waji97 . Thank you for such nice article.
Just a suggestion. Please add the file name that needs to be added/edit at line:
"Specifying expiration date and RSA Bit value for each key through additional options"
I believe you are referring to the logstash filter file there. I added it at:
vi /etc/logstash/conf.d/logstash-filter.conf
that has content:
"input {
beats {
client_inactivity_timeout => 600
port => 5044......"
Again, that is one of the most comprehensive article I saw about basic ELK installation.