Prequisites:
sudo yum install nano wget nmap net-tools ntp -y sudo yum update -y && sudo reboot
If you don’t use ipv6, (like I do, i’ll disable this, otherwise, logstash also starts tcp6 and udp6 listeners):
sudo nano /etc/sysctl.conf
add the line:
net.ipv6.conf.all.disable_ipv6 = 1
Finally reload the sysctl file:
sudo sysctl -p
Time is essence for a log server, so i’ll use network time ntpd: a simple enable and start should be enough to get the correct time on centos:
systemctl enable ntpd
systemctl start ntpd
Next we need java:
cd ~
wget –no-cookies –no-check-certificate –header “Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie” “http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.rpm”
sudo rpm -Uvh jdk*
sudo rm ~/jdk*
And finally we need to import the elasticsearch key for yum:
sudo rpm –import http://packages.elastic.co/GPG-KEY-elasticsearch
Install Elasticsearch:
echo ‘[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
‘ | sudo tee /etc/yum.repos.d/elasticsearch.repo
sudo yum -y install elasticsearch
sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch
When you want to install elastic into production, edit the elasticsearch file:
sudo nano /usr/lib/systemd/system/elasticsearch.service
Uncomment the : “LimitMEMLOCK=infinity” the line
Test if everything is working with 2 commands:
curl -XGET ‘your external/internal ip address :9200/?pretty’
curl -XGET ‘localhost:9200/?pretty’
Install Kibana:
echo ‘[kibana-5.x]
name=Kibana repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
‘ | sudo tee /etc/yum.repos.d/kibana.repo
sudo yum -y install kibana
sudo systemctl start kibana
sudo systemctl enable kibana
Install Logstash:
echo ‘[logstash-5.x]
name=Elastic repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
‘ | sudo tee /etc/yum.repos.d/logstash.repo
sudo yum -y install logstash
sudo systemctl start logstash
sudo systemctl enable logstash
Configure Selinux:
sudo setsebool -P httpd_can_network_connect true
Privileged ports:
When using privileged ports in centos 7 (<1024) you’ll notice you can’t use these without turning off selinux, since I don’t recommend this, you can use the following workaround (taken from <https://discuss.elastic.co/t/logstash-bind-to-port-514/44022/9>)
Replace ‘internal’ by your active firewall.
You can view this by:
sudo firewall-cmd –list-all-zones
Default Port used by the Elastic-stack: (take note that when port 9200 or 9300 is in use, kibana will increment this by one, and don’t forget to change the zone according):
sudo firewall-cmd –set-default-zone=internal
sudo firewall-cmd –permanent –zone=internal –add-port=514/tcp #syslog port
sudo firewall-cmd –permanent –zone=internal –add-port=514/udp #syslog port
sudo firewall-cmd –permanent –zone=internal –add-port=5514/tcp #syslog forwarded port
sudo firewall-cmd –permanent –zone=internal –add-port=5514/udp #syslog forwarded port
sudo firewall-cmd –permanent –zone=internal –add-port=5600/tcp #kibana
sudo firewall-cmd –permanent –zone=internal –add-port=5601/tcp #kibana
sudo firewall-cmd –permanent –zone=internal –add-port=9600/tcp #logstash
sudo firewall-cmd –permanent –zone=internal –add-port=9200/tcp #elasticsearch
sudo firewall-cmd –permanent –zone=internal –add-port=9300/tcp #elasticsearch
To use priviliged ports in centos with selinux enabled, you can use the following workaround:
Notice: You won’t see a listener with “netstat -ano”
sudo firewall-cmd –zone=internal –add-masquerade –permanent
sudo firewall-cmd –add-forward-port=port=514:proto=udp:toport=5514 –permanent
sudo firewall-cmd –add-forward-port=port=514:proto=tcp:toport=5514 –permanent
sudo systemctl restart network.service
sudo systemctl restart firewalld
Commands to check your firewall settings:
firewall-cmd –list-all-zones
firewall-cmd –zone=internal –list-all
firewall-cmd –zone=internal –query-masquerade
Next we’re going to edit some default configuration files. Default elasticsearch and kibana will only be accessible to localhost and not your network.
sudo nano /etc/elasticsearch/elasticsearch.yml
Change the parameter to _site_
network.host: _site_
Next up kibana:
edit theĀ “server.host” property to 0.0.0.0
sudo nano /etc/kibana/kibana.yml
yay you’ve made it this far, but i have not :o)