ELK Stack installation on CENTOS using YUM
ELK is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana.
Elasticsearch is a search and analytics engine and a NoSQL database that is based on the Lucene search engine. Logstash is a data processing log pipeline tool that accepts data from various sources, executes different parsing and transformations and exports the output to various targets like an Elasticsearch instance. Kibana uses to visualize data with charts and graphs in Elasticsearch.
ELK stack facilitate centralized logging of applications or servers including appliances, which can be very useful in identifying problems by analyzing the logs from a single log repository. ELK helps to correlate logs with specific time frames from multiple servers to identify issues.
Elasticsearch requires Java 8 or later as a prerequisite.
Installation steps
Download and install the public signing key:
rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Create a file called elasticsearch.repo in the /etc/yum.repos.d/ directory with the following contents.
[elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
Elasticsearch
Install Elasticsearch with following commands
sudo yum install elasticsearch
To configure Elasticsearch to start automatically when the system boots up, run the following commands:
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
Elasticsearch can be started and stopped as follows:
sudo systemctl start elasticsearch.service
sudo systemctl stop elasticsearch.service
You can test that your Elasticsearch node is running by sending an HTTP request to port 9200 on localhost:
[root@siemhost ~]# sudo curl -XGET 'localhost:9200/?pretty' { "name" : "0Xtoanx", "cluster_name" : "HOST-SIEM", "cluster_uuid" : "2KUerzOHQgGg8yEvrb6XDA", "version" : { "number" : "6.2.3", "build_hash" : "c59ff00", "build_date" : "2018-03-13T10:06:29.741383Z", "build_snapshot" : false, "lucene_version" : "7.2.1", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" } [root@siemhost ~]#
Logstash
Install Logstash with following commands
sudo yum install logstash
To configure Logstash to start automatically when the system boots up, run the following commands:
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable logstash.service
Logstash can be started and stopped as follows:
sudo systemctl start logstash.service
sudo systemctl stop logstash.service
You can test the status of logstash by issuing the command
sudo systemctl status logstash
[root@siemhost ~]# systemctl status logstash ● logstash.service - logstash Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled) Active: active (running) since Sun 2018-03-25 10:50:07 AST; 1h 8 min ago Main PID: 30624 (java)
Kibana
Install Kibana with following commands
sudo yum install kibana
To configure Kibana to start automatically when the system boots up, run the following commands:
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kibana.service
Kibana can be started and stopped as follows:
sudo systemctl start kibana.service
sudo systemctl stop kibana.service
By default Kibana is accessible through port 5601. Point your web browser at the machine where Kibana is running and specify the port number.
For example, localhost:5601 or http://yourhost:5601