Step-by-Step Guide to Installing and Configuring ELK Stack on CentOS 7

ELK Installation and Deployment

Official website: https://www.elastic.co/cn/ Guides: https://www.elastic.co/guide/cn/elasticsearch/guide/current/index.html Installation guide: https://www.elastic.co/guide/en/elasticsearch/reference/7.5/rpm.html

ELK consists of Elasticsearch, Logstash, and Kibana. Logstash collects, parses, and forwards logs; Elasticsearch provides real‑time full‑text search and analytics; Kibana offers a web UI for visualizing data stored in Elasticsearch. Beats are lightweight data shippers (e.g., Filebeat).

Logstash : supports many input sources (syslog, RabbitMQ, JMX) and output destinations (email, websockets, Elasticsearch).

Elasticsearch : distributed search engine built on Apache Lucene, exposing REST and Java APIs.

Kibana : web interface that queries Elasticsearch via its REST API.

Beats : lightweight agents such as Filebeat for sending logs to Logstash or Elasticsearch.

Basic Concepts

Node – a server running a single Elasticsearch instance. Cluster – one or more nodes forming a cluster. Index – collection of documents. Document – a single record inside an index. Type – logical grouping of documents within an index. Field – the smallest unit of data stored. Shards – pieces of an index. Replicas – copies of shards for redundancy.

Environment Preparation

Two CentOS 7.6 servers are used:

192.168.73.133 – install Elasticsearch, Logstash, Kibana, Java.

192.168.73.135 – install Elasticsearch, Logstash.

Install JDK

[root@elk-master ~]# yum install -y java
[root@elk-master ~]# java -version
openjdk version "1.8.0_232"
OpenJDK Runtime Environment (build 1.8.0_232-b09)
OpenJDK 64-Bit Server VM (build 25.232-b09, mixed mode)

Or install from Oracle binaries and set environment variables (example omitted for brevity).

Install Elasticsearch

# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# vim /etc/yum.repos.d/elasticsearch.repo   (add repository configuration)
# yum install -y elasticsearch

Create data directory and adjust ownership:

# mkdir -p /data/es-data
# chown -R elasticsearch:elasticsearch /data/es-data
# chown -R elasticsearch:elasticsearch /var/log/elasticsearch/

Edit /etc/elasticsearch/elasticsearch.yml (relevant settings shown):

cluster.name: elk-cluster
node.master: true
node.data: true
node.name: elk-1
path.data: /data/es-data
path.logs: /var/log/elasticsearch/
network.host: 192.168.73.133
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
discovery.zen.ping.unicast.hosts: ["192.168.73.133", "192.168.73.135"]
discovery.zen.minimum_master_nodes: 1

Start and enable the service:

# systemctl start elasticsearch && systemctl enable elasticsearch

Verify with curl:

# curl http://192.168.73.133:9200/

{
  "name" : "elk-1",
  "cluster_name" : "elk-cluster",
  "version" : { "number" : "7.5.0" },
  "tagline" : "You Know, for Search"
}

Important System Limits

# vim /etc/security/limits.conf
elk soft nofile 65536
elk hard nofile 65536
elk soft nproc 2048
elk hard nproc 2048
elk soft memlock unlimited
elk hard memlock unlimited
# vim /etc/security/limits.d/90-nproc.conf
* soft nproc 2048

Disable bootstrap system‑call filter if needed:

# vim /etc/elasticsearch/elasticsearch.yml
bootstrap.system_call_filter: false

Node Installation (Second Server)

Apply a similar elasticsearch.yml with node.name: elk-2 and network.host: 192.168.73.135, then start the service.

Check node membership:

# curl http://192.168.73.133:9200/_cat/nodes?v

Cluster Health

# curl -i -XGET http://192.168.73.133:9200/_cluster/health?pretty

{
  "cluster_name" : "elk-cluster",
  "status" : "green",
  "number_of_nodes" : 2,
  "active_primary_shards" : 5,
  "active_shards" : 10,
  "unassigned_shards" : 0,
  "active_shards_percent_as_number" : 100.0
}

Green = fully allocated, Yellow = some replicas missing, Red = primary shards missing.

Install elasticsearch‑head Plugin

Two options:

Run the Docker image: # docker run -p 9100:9100 mobz/elasticsearch-head:5 then open http://localhost:9100/.

Clone from GitHub and start with npm:

# yum install -y npm
# git clone https://github.com/mobz/elasticsearch-head.git
# cd elasticsearch-head
# npm install
# npm run start &

Install and Use Logstash

# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# yum install -y logstash
# ln -s /usr/share/logstash/bin/logstash /usr/local/bin/

Test with a simple pipeline:

# logstash -e 'input { stdin { } } output { stdout {} }'
hello world

Send data to Elasticsearch:

# logstash -e 'input { stdin { } } output { elasticsearch { hosts => ["192.168.73.133:9200"] } stdout { codec => rubydebug } }'
I am ELK

Logstash Configuration Files

Example elk.conf:

input { stdin { } }
output {
  elasticsearch { hosts => ["192.168.73.133:9200"] }
  stdout { codec => rubydebug }
}

File input example for system and secure logs:

input {
  file { path => "/var/log/messages" type => "system" start_position => "beginning" }
  file { path => "/var/log/secure" type => "secure" start_position => "beginning" }
}
output {
  if [type] == "system" {
    elasticsearch { hosts => ["192.168.1.202:9200"] index => "nagios-system-%{+YYYY.MM.dd}" }
  }
  if [type] == "secure" {
    elasticsearch { hosts => ["192.168.1.202:9200"] index => "nagios-secure-%{+YYYY.MM.dd}" }
  }
}

Install and Use Kibana

# yum install -y kibana
# vim /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.99.185"
elasticsearch.hosts: ["http://192.168.99.185:9200"]
kibana.index: ".kibana"
i18n.locale: "zh-CN"
# systemctl start kibana && systemctl enable kibana

Access Kibana at http://192.168.73.133:5601 and load sample dashboards.