Install Elastic Stack 7 on Fedora 30\/Fedora 29\/CentOS 7<\/h2>\n\n\n\n
Elastic Stack components should be installed in the following order.<\/p>\n\n\n\n
- Install Elasticsearch<\/li>
- Install Kibana<\/li>
- Install Logstash<\/li>
- Install Beats<\/li><\/ul>\n\n\n\n
Installing Elasticsearch 7 on Fedora 30\/Fedora 29\/CentOS 7<\/h3>\n\n\n\n
Installation of Elasticsearch 7.0 on Fedora 30\/Fedora 29\/CentOS 7 has been covered in our previous guides. See the links below;<\/p>\n\n\n\n
Install Elasticsearch 7 on Fedora 30<\/a><\/p>\n\n\n\n
Install Elasticsearch 7.x on CentOS 7\/Fedora 29<\/a><\/p>\n\n\n\n
Configure Elasticsearch Bind Interface<\/h3>\n\n\n\n
If you need to connect to Elasticsearch externally, you need to bind it to non-loopback interface. Hence, edit the configuration file and set the value of network.host<\/strong> to a non-loopback interface or interface itself. See Special values for <\/a>
network.host<\/a><\/code>.<\/p>\n\n\n\nvim \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n...\n# ---------------------------------- Network -----------------------------------\n#\n# Set the bind address to a specific IP (IPv4 or IPv6):\n#\n#network.host: 192.168.0.1\nnetwork.host: 192.168.43.75\n...<\/code><\/pre>\n\n\n\nConfigure Elasticsearch Single Node Discovery<\/h3>\n\n\n\n
If you are running Elasticsearch in non-production environment (non-cluster environment) and want to bind transport to an non-loopback interface, just like in this demo, you need to set the discovery mode to single node<\/strong>. Otherwise you may get bootstrap check failed errors.<\/p>\n\n\n\n
Therefore add the line, discovery.type: single-node<\/strong>, under the Discovery section of the Elasticsearch configuration file to enable single node discovery<\/strong>.<\/p>\n\n\n\n
...\n# --------------------------------- Discovery ----------------------------------\n#\n# Pass an initial list of hosts to perform discovery when this node is started:\n# The default list of hosts is [\"127.0.0.1\", \"[::1]\"]\n#\n#discovery.seed_hosts: [\"host1\", \"host2\"]\n#\n# Bootstrap the cluster using an initial set of master-eligible nodes:\n#\n#cluster.initial_master_nodes: [\"node-1\", \"node-2\"]\n#\ndiscovery.type: single-node\n# For more information, consult the discovery and cluster formation module documentation.\n#\n# ---------------------------------- Gateway -----------------------------------<\/code><\/pre>\n\n\n\nSave the configuration file and restart Elasticsearch.<\/p>\n\n\n\n
systemctl restart elasticsearch.service<\/code><\/pre>\n\n\n\nVerify if Elasticsearch is listening on non-loop interface as defined above.<\/p>\n\n\n\n
ss -alnpt | grep 9200 \nLISTEN 0 128 [::ffff:192.168.43.103]:9200 *:* users:((\"java\",pid=30625,fd=213))<\/code><\/pre>\n\n\n\nYou can also check it as follows.<\/p>\n\n\n\n
curl -XGET http:\/\/192.168.43.103:9200\n{\n \"name\" : \"elkstack.example.com\",\n \"cluster_name\" : \"elasticsearch\",\n \"cluster_uuid\" : \"f_Au_kWoQ4CjVvghdtIW2w\",\n \"version\" : {\n \"number\" : \"7.2.0\",\n \"build_flavor\" : \"default\",\n \"build_type\" : \"rpm\",\n \"build_hash\" : \"508c38a\",\n \"build_date\" : \"2019-06-20T15:54:18.811730Z\",\n \"build_snapshot\" : false,\n \"lucene_version\" : \"8.0.0\",\n \"minimum_wire_compatibility_version\" : \"6.8.0\",\n \"minimum_index_compatibility_version\" : \"6.0.0-beta1\"\n },\n \"tagline\" : \"You Know, for Search\"\n}<\/code><\/pre>\n\n\n\nInstall Kibana 7 on Fedora 30\/Fedora 29\/CentOS 7<\/h3>\n\n\n\n
To install Kibana 7, you need to create Elastic repos. However, if you followed the above guides, we already created the Elastic Stack RPM repos. Hence, you can simply run the command below to install Kibana 7.<\/p>\n\n\n\n
You can however create Elastic 7.x repos by executing the command below;<\/p>\n\n\n\n
- Import Elastic Repo GPG signing key<\/li><\/ul>\n\n\n\n
rpm --import https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch<\/code><\/pre>\n\n\n\n- Create Elastic 7.x Repo<\/li><\/ul>\n\n\n\n
cat > \/etc\/yum.repos.d\/elastic-7.x.repo << EOF\n[elasticsearch-7.x]\nname=Elasticsearch repository for 7.x packages\nbaseurl=https:\/\/artifacts.elastic.co\/packages\/7.x\/yum\ngpgcheck=1\ngpgkey=https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\nenabled=1\nautorefresh=1\ntype=rpm-md\nEOF<\/code><\/pre>\n\n\n\nNote, since YUM package manager works on both Fedora and CentOS, we will be using YUM for package installation. You can however use DNF on Fedora system.<\/p>\n\n\n\n
yum install kibana<\/code><\/pre>\n\n\n\nOnce the installation is done, start and enable Kibana to run on system boot.<\/p>\n\n\n\n
systemctl start kibana\nsystemctl enable kibana<\/code><\/pre>\n\n\n\nKibana is set to run on localhost:5601<\/strong> by default. As a layer of security, we are going to Nginx and configure it to proxy the connection to Kibana via a publicly accessible interface IP.<\/p>\n\n\n\n
Install Nginx<\/h4>\n\n\n\n
yum install nginx<\/code><\/pre>\n\n\n\nNote that you need to install EPEL<\/strong> repos on CentOS 7 in order to install Nginx.<\/p>\n\n\n\n
yum install epel-release<\/code><\/pre>\n\n\n\nConfigure Nginx with SSL to Proxy Kibana<\/h4>\n\n\n\n
Generate the SSL\/TLS certificates for Nginx SSL proxy connection and create Nginx configuration file to define Kibana settings. In this guide, we are using self-signed certificate. You can as well obtain a trusted CA certificate from your preferred provider. <\/p>\n\n\n\n
Generate Self-signed SSL\/TLS certificates<\/h4>\n\n\n\n
mkdir \/etc\/ssl\/private<\/code><\/pre>\n\n\n\nopenssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/ssl\/private\/kibana-selfsigned.key -out \/etc\/ssl\/certs\/kibana-selfsigned.crt<\/code><\/pre>\n\n\n\nCreate Kibana Nginx configuration. You can use the recommendations from the Cipherli.st<\/a> while configuring SSL.<\/p>\n\n\n\n
vim \/etc\/nginx\/conf.d\/kibana.conf<\/code><\/pre>\n\n\n\nserver {\n\tlisten 80;\n\tserver_name elastic.example.com;\n\treturn 301 https:\/\/$host$request_uri;\n}\nserver {\n\tlisten 443 ssl;\n\tserver_name elastic.example.com;\n\n\troot \/usr\/share\/nginx\/html;\n\tindex index.html index.htm index.nginx-debian.html;\n\n \tssl_certificate \/etc\/ssl\/certs\/kibana-selfsigned.crt;\n\tssl_certificate_key \/etc\/ssl\/private\/kibana-selfsigned.key;\n\n\tssl_protocols TLSv1.2 TLSv1.3;\n\tssl_prefer_server_ciphers on; \n\tssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;\n\tssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;\n\tssl_ecdh_curve secp384r1;\n\tssl_session_timeout 10m;\n\tssl_session_cache shared:SSL:10m;\n\tresolver 192.168.43.1 8.8.8.8 valid=300s;\n\tresolver_timeout 5s; \n\tadd_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\";\n\tadd_header X-Frame-Options DENY;\n\tadd_header X-Content-Type-Options nosniff;\n\tadd_header X-XSS-Protection \"1; mode=block\";\n\n\taccess_log \/var\/log\/nginx\/kibana_access.log;\n\terror_log \/var\/log\/nginx\/kibana_error.log;\n\n\tauth_basic \"Authentication Required\";\n\tauth_basic_user_file \/etc\/nginx\/.kibana-auth;\n\n\tlocation \/ {\n\t proxy_pass http:\/\/127.0.0.1:5601;\n \tproxy_http_version 1.1;\n\t proxy_set_header Upgrade $http_upgrade;\n \tproxy_set_header Connection 'upgrade';\n\t proxy_set_header Host $host;\n \tproxy_cache_bypass $http_upgrade;\n\t}\n}<\/code><\/pre>\n\n\n\nGenerate Deffie-Hellman group on the location specified by the ssl_dhparam<\/strong> parameter.<\/p>\n\n\n\n
openssl dhparam -out \/etc\/ssl\/certs\/dhparam.pem 2048<\/code><\/pre>\n\n\n\nSet the value of types_hash_max_size<\/a> to 4096.<\/p>\n\n\n\n
sed -i 's\/types_hash_max_size 2048\/types_hash_max_size 4096\/' \/etc\/nginx\/nginx.conf<\/code><\/pre>\n\n\n\nConfigure Nginx Authentication<\/h4>\n\n\n\n
To configure Nginx User authentication, you need to create users and their password. These authentication details will be saved in the file, \/etc\/nginx\/.kibana-auth<\/strong>, specified by auth_basic_user_file<\/strong> parameter in the Nginx configuration file.<\/p>\n\n\n\n
You can use openssl<\/strong> command to generate the authentication credentials as shown below. Replace the USERNAME and PASSWORD accordingly;<\/p>\n\n\n\n
printf \"USERNAME:$(openssl passwd -crypt PASSWORD)\\n\" > \/etc\/nginx\/.kibana-auth<\/code><\/pre>\n\n\n\nVerify the Nginx syntax and reload it if everything is okay.<\/p>\n\n\n\n
nginx -t\nnginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful<\/code><\/pre>\n\n\n\nStart and enable Nginx to run on system boot.<\/p>\n\n\n\n
systemctl start nginx\nsystemctl enable nginx<\/code><\/pre>\n\n\n\nIf Firewalld is running, allow Nginx connections, both HTTP and HTTPS.<\/p>\n\n\n\n
firewall-cmd --add-service={http,https} --permanent\nfirewall-cmd --reload<\/code><\/pre>\n\n\n\nIf SELinux is running, configure it to allow Nginx to connect to network.<\/p>\n\n\n\n
setsebool -P httpd_can_network_connect 1<\/code><\/pre>\n\n\n\nConfigure Kibana<\/h3>\n\n\n\n
Since we set the proxy to loopback IP address instead of localhost<\/strong>, you need to configure Kibana to use loopback IP address.<\/p>\n\n\n\n
vim \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\nserver.host: \"127.0.0.1\"<\/code><\/pre>\n\n\n\nAlso, If Elasticsearch is configured to listen on a different IP address, you need to configure Elasticsearch URL in Kibana.<\/p>\n\n\n\n
elasticsearch.hosts: [\"http:\/\/192.168.43.75:9200\"]<\/code><\/pre>\n\n\n\nAccess Kibana Dashboard<\/h3>\n\n\n\n
You should now be able to access Kibana dashboard via the server fully qualified hostname, https:\/\/elastic.example.com<\/strong> in this case. Accept the risk of using the self-signed certificate and proceed. Before you can access the Kibana dashboard, you will be required to provide the authentication credentials set above.<\/p>\n\n\n\n
![\"Install](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/06\/Kibana-Nginx-Authentication.png\" "\\"\\"")
<\/a><\/figure>\n\n\n\nAfter authentication, you will land on Kibana dashboard. Since we don’t have data yet, you will see the screen below. Click Explore My Own<\/strong> to proceed to Kibana dashboard.<\/p>\n\n\n\n
![\"Kibana](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/06\/kibana-data.png\" "\\"\\"")
<\/a><\/figure>\n\n\n\n![\"kibana](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/06\/kibana-default-dashboard.png\" "\\"\\"")
<\/a><\/figure>\n\n\n\nKibana is now installed on Fedora 30\/Fedora 29\/CentOS 7. The next step is to install Logstash, the data processing engine and Filebeat data shippers. See how to install Logstash and Filebeat by following the links below;<\/p>\n\n\n\n
Install Logstash 7 on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n
Install Filebeat on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n
Create Kibana Index Pattern<\/h3>\n\n\n\n
Now that your Filebeat is sending events to your Elastic stack, you need to add your Elasticsearch index to Kibana. Hence, Click the settings gear icon<\/strong> on the left panel of Kibana and navigate to Index Patters<\/strong> under Kibana > Create Index Patterns<\/strong>.<\/p>\n\n\n\n
![\"Install](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/kibana-add-index.png\" "\\"\\"")
<\/a><\/figure>\n\n\n\nProceed to the Next step and set the time field name to timestamp<\/strong>. Once that is done, click Create Index Pattern<\/strong>.<\/p>\n\n\n\n
![\"create](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/05\/kibana-index-timestamp.png\" "\\"\\"")
<\/a><\/figure>\n\n\n\nNext, click on Discover tab on the left panel of Kibana to see your parsed event data.<\/p>\n\n\n\n
SSH successful Logins<\/p>\n\n\n\n
![\"Kibana](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/kibana-successful-ssh-logins-1.png\" "\\"\\"")
<\/a><\/figure>\n\n\n\nSSH failed logins<\/p>\n\n\n\n
![\"Kibana](\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/07\/kibana-failed-ssh-logins-1.png\" "\\"\\"")
<\/a><\/figure>\n\n\n\nWell, as you can see, we have the fields that were extracted using our grok filter defined in our Logstash configuration on Fedora 30\/Fedora 29\/CentOS 7<\/a>.<\/p>\n\n\n\n
You can now proceed to collect events from other sources and push them to your Elastic Stack. Enjoy.<\/p>\n\n\n\n
Reference;<\/p>\n\n\n\n
Kibana User Guide<\/a><\/p>\n\n\n\n
Related Tutorials:<\/h3>\n\n\n\n
Install and Configure Logstash 7 on Ubuntu 18\/Debian 9.8<\/a><\/p>\n\n\n\n
Install and Configure Filebeat 7 on Ubuntu 18.04\/Debian 9.8<\/a><\/p>\n\n\n\n
Install Elastic Stack 7 on Ubuntu 18.04\/Debian 9.8<\/a><\/p>\n\n\n\n
- Create Elastic 7.x Repo<\/li><\/ul>\n\n\n\n
- Import Elastic Repo GPG signing key<\/li><\/ul>\n\n\n\n