ELK stack is the acronimous of Elasticsearch, Logstash and Kibana and it’s a powerful tool that allow you to collect, analyze and visualize your logs.
let’s start!!!!
first install java:
sudo yum install -y java-1.8.0-openjdk-develafter this check the installed version with java -version.
go to the main elasticsearch website in order to collect the correct and updated repository. Download and install the public key:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearchcreate a file in the /etc/yum.repos.d/ and paste this data:
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-mdstart the installation with
yum install -y elasticsearchstart, enable and verify the elasticsearch service
systemctl start elasticsearch
systemctl enable elasticsearch
systemctl status elasticsearchcheck the cluster status
# curl -X GET "localhost:9200/_cat/health?v"
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1557000685 20:11:25 elasticsearch green 1 1 0 0 0 0 0 0 - 100.0%
check the node status
# curl -X GET "localhost:9200/_cat/nodes?v"
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
127.0.0.1 30 33 2 0.10 0.13 0.13 mdi * elkInstall Kibana
# yum install -y kibanaedit the configuration file
vim /etc/kibana/kibana.ymluncomment the following line
server.port: 5601start and enable kibana
systemctl start kibana
systemctl enable kibanaInstall Nginx
you need nginx to be used as a reverse proxy. Install epel release and nginx
yum install epel-release
yum install httpd-tools
yum install nginx edit the nginx configuration
vim /etc/nginx/conf.d/elkstack.confpaste the following code in this file
server {
listen 80;
server_name elkstack;
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.kibana;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}before start the service we need to remove the default nginx configuration file. Edit the /etc/nginx/nginx.conf. Locate and delete the whole server section.
This is the portion of the file that we have to delete
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}Now it’s time to set the username and password to access our ELK stack server.
sudo htpasswd -c /etc/nginx/htpasswd.kibana admininsert the password that you’ll use to access to the system.
if you have selinux configured in enforce mode you need to allow httpd
sudo setsebool httpd_can_network_connect 1 -Pyou should do the same with your firewall (firewalld in centos) if you have problems.
# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
# firewall-cmd --reload
successvisit you ip address with the browser and……IT WORKS!
You’ll see anything right now because we don’t have any data and we have to complete the ELK with Logstash.
Logstash is a data collector that is able to parse incoming data and insert them in elasticsearch to be visualized in kibana
yum install -y logstashsystemctl start logstash
systemctl enable logstashstart and enable logstash
that’s all for this “episode”. In the next step we’ll configure logstash to collect and parse our data.