Posted on by brock

How to install Elastic Stack/ELK Stack on CentOS

Fairly recently I made some notes for a setup of Elastic Stack (AKA Elk Stack) on a network of CentOS 6 machines. I found it relatively involved so thought it was worth sharing. This could be used on later versions of CentOS/RHEL with minor adaptations.

On the main log processing server

Oracle Java 8 needs to be installed.

Import RPM key:

rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch

In /etc/yum.repos.d/elasticsearch.repo:

[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Install Elasticsearch:

yum install elasticsearch

Add the following to /etc/init.d/elasticsearch:

# Configure Java environment
JAVA_HOME=/usr/local/java [or /usr/local/jdk8 if needed]
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME PATH

Start the service:

service elasticsearch start
chkconfig elasticsearch on

In /etc/yum.repos.d/kibana.repo:

[kibana-5.x]
name=Kibana repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Install Kibana:

yum install kibana

Configure Kibana:

In /etc/kibana/kibana.yml:

server.host: "0.0.0.0"

Start the service:

service kibana start
chkconfig kibana on

In /etc/yum.repos.d/logstash.repo:

[logstash-5.x]
name=Elastic repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Install Logstash:

yum install logstash

If needed, change Java executable path in /etc/logstash/startup.options then run /usr/share/logstash/bin/system-install.

Add to /etc/init/logstash.conf:

env JAVA_HOME=/usr/local/java
env PATH=/usr/local/java/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

Add syslog source in /etc/logstash/conf.d/syslog.conf:

input {
file {
path => [ "/var/log/messages" ]
type => "syslog"
}
}

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

Add filter in /etc/logstash/conf.d/filebeat.conf:

input {
beats {
port => 5044
}
}

filter {
if [fields][log_type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

If necessary, fix permissions on /var/log/messages to make it readable as needed, then start logstash.

Results should be visible at this URL (insert name/IP as appropriate for your network): http://NAME OR IP OF LOG PROCESSING SERVER:5601

To tail logs for information and problems:

cd /var/log
tail -F messages elasticsearch/*.log kibana/* logstash/logstash-plain.log

On other servers sending log data to the main server

Import RPM key:

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

In /etc/yum.repos.d/elastic.repo:

[elastic-5.x]
name=Elastic repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Install Filebeat:

yum install filebeat

Modify /etc/filebeat/filebeat.yml as follows:

filebeat.prospectors:
- input_type: log
paths:
- /var/log/messages
fields:
log_type: syslog

output.logstash:
hosts: ["NAME OR IP OF LOG PROCESSING SERVER:5044"]

Start service:

chkconfig --add filebeat
service filebeat start

To tail logs for information and problems:

tail -F /var/log/filebeat/filebeat