a. Installing and configuring Elasticsearch
Guide to install Elastic Stack
For simplicity reasons I will be installing Elastic Stack as an All-in-One server that has all three instances, Elasticsearch, Kibana, and Logstash on a Ubuntu 18.04 LTS server with 8GB of RAM.
Sizing and configuring an Elastic Stack cluster with multiple nodes for logging use cases can be challenging and might be the subject of a separate blog.
Firstly, I will add the name of my single-node cluster in /etc/hosts to use later in my elasticsearch configuration file.
192.168.20.222 elk_allinone
127.0.0.1 localhost
Considering the impact of swap on the performance and stability of the nodes, it is recommended to disable it permanently by modifying the
/etc/fstab file.$ sudo swapon –show
$ sudo swapoff -v /swapfile
$ sudo vi /etc/fstab
Then comment any ligne that contains the word
swap in the/etc/fstab then delete swapfile$ sudo rm /swapfile
I am going to work here with version
7.8.0 of elastic stack since, later, I will be installing opendistro's plugins which are at the time of writing this blog was not compatible with the latest version of Elastic Stack. See here for more information about version compatibilities.$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-amd64.deb
$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-amd64.deb.sha512
$ shasum -a 512 -c elasticsearch-7.8.0-amd64.deb.sha512
$ sudo dpkg -i elasticsearch-7.8.0-amd64.deb
As a rule of thumb, it is recommended to dedicate half of the available RAM to Elasticsearch. In our case we have 8GB so we will modify
jvm.optionsaccordingly.$ sudo vi /etc/elasticsearch/jvm.options
-Xms4g
-Xmx4g
Next step is modifying
elasticsearch.ymlconfiguration file to fit my single-node cluster requirements.// Back up your configuration file
$ sudo cp elasticsearch.yml elasticsearch.yml.backup
$ sudo vi /etc/elasticsearch/elasticsearch.yml
# ======================== Elasticsearch Configuration ===================#
cluster.name: cyb3rsn0rlax
node.name: elk_allinone
node.master: true
node.ingest: true
node.data: true
node.ml: false
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: [_local_, _site_]
http.port: 9200
cluster.initial_master_nodes: ["elk_allinone"]
I have a single-node cluster so obviously it will be my data node for storing data, my master node and my ingest node if I am willing to use Elasticsearch pipelines.
It is recommended to modify system configuration to allow the user running Elasticsearch to access more resources than allowed by default. This part depends on the system you're using and the method you used to install Elasticsearch, since we are using Ubuntu and the Debian package manual installation the following method would make the necessary changes.
$ sudo systemctl edit elasticsearch
Add the following lines then reload and start Elasticsearch :
[Service]
LimitMEMLOCK=infinity
$ sudo systemctl daemon-reload
$ sudo systemctl start elasticsearch
Configure elasticsearch service for automatic startup
$ sudo /bin/systemctl daemon-reload
$ sudo /bin/systemctl enable elasticsearch.service
Check its status and curl it
$ sudo systemctl status elasticsearch
$ sudo curl localhost:9200
{
"name" : "elk_allinone",
"cluster_name" : "cyb3rsn0rlax",
"cluster_uuid" : "-wuP6BX2QCiB5CSHKSw2GQ",
"version" : {
"number" : "7.8.0",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
"build_date" : "2020-11-26T06:34:37.794943Z",
"build_snapshot" : false,
"lucene_version" : "8.4.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Last modified 2yr ago