Setting up Elasticsearch 5.x (Single VM) on CentOS 7 Minimal Part 1/3

In this series we will go ahead and setup Elasticsearch 5 to collect Windows Logs.

The point of this tutorial is to setup a test environment for Elasticsearch on a single node which will allow us to search through logs real-time and provide an ability to create meaningful visualizations from Kibana. We will be focusing on collecting Windows logs such as account lockouts, account login failures, task creation, firewall modification, process creations, network connections.

I would suggest to take 5 minutes to understand what The Elasticsearch Stack is by visiting their main site.

Our setup: 1 server (CentOS) setup with Static IP addresses.

  • 1 (server name: ELK) server will serve as our Logstash parser

Before moving forward please read the following pertaining to Memory Lock information as my guide will include both. If you’re not interested in the Memory Lock just skip the steps that pertain to it.

Here are the prerequisites for this tutorial:

  • CentOS 7 minimal – Latest built (or full Dvd download)
  • net-tools
  • nano
  • Java 1.8.x

First of all, download the latest CentOS 7 minimal to get started, and install it which is covered by this tutorial

Once you have installed the Operating System, you may then:

Run an OS update to ensure that you are getting the most up-to-date applications for YUM. (perform these steps for all servers)

Ensure that you are installing basic network tools such as “ifconfig”

Run the following to get a text editor

Set Static IP addresses for ELK  (Optional Step, you may just leave as DHCP)

sample configuration:

Reboot your network adapter.

At this point I’d suggestion you create some DNS records for your systems.

Now that we’re done with basic CentOS 7 items, let’s move on to Elasticsearch Prerequisites.

Step 1: install Java 1.8 DJK.
Install on all servers

set $JAVA_HOME to

you may run “java -version” to confirm your version of java installed.

Step 2: Import Elasticsearch PGP key

Step 3: Setup Repositories for Elasticsearch, Kibana, and Logstash

For Elasticsearch:

Navigate to /etc/yum.repos.d and create a new repository file, call it elasticsearch.repo

And copy the following to it:

CTRL-O and save as elasticsearch.repo”

Do the same for Kibana

Save as kibana.repo

Lastly,  setup a repo for Logstash

save as logstash.repo

Step 4: install Elasticsearch:

Step 5: Set the service to start automatically

To configure Elasticsearch to start automatically when the system boots up, run the following commands:

Elasticsearch can be started and stopped as follows:
sudo systemctl start elasticsearch.service
sudo systemctl stop elasticsearch.service

Step 6: Setup Firewall Rules

Add firewall rules, (Kibana will run on port 5601, Elasticsearch will run on port 9200, 9300, and Logstash will be running on port 5044 or whichever port you decide)

server names: (ELK)

Step 7: Test Elasticsearch

run the following query:

curl -XGET ‘yourELKipaddress:9200/?pretty’

(note: this is your local ip address)

You should see the following:

“version” : {
“number” : “5.2.0”,
“build_hash” : “24e05b9”,
“build_date” : “2017-“,
“build_snapshot” : false,
“lucene_version” : “6.4.0”
“tagline” : “You Know, for Search”

Step 8: Configure Elasticsearch:

Edit the following options and ensure that you remove the #comment field to enable them.

The following crossed items are old and unnecessary steps (updated 09-25-2017).

Next, uncomment the following setting MAX_LOCKED_MEMORY=unlimited (Remove the #)

Save and exit

Again we’re doing it at the service level too, uncomment LIMITMEMLOCK=infinity

Save and exit

For this step, we’re going to edit the  Xms  and Xmx

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

Note: set the GB to half your System’s RAM (In this example, I have a total of 8GB RAM; therefore my settings will be the following:

Save and Exit.

Run the following once you have edited both configurations:

Step 10: Install KIBANA

To configure Kibana to start automatically when the system boots up, run the following commands:

Kibana can be started and stopped as follows:

Step 11: Configure Kibana

Change the following settings:

Save it, and then restart the Kibana service.

You should be able to visit: http://YourELK:5601

Step 12: Configure Logstash

Install Logstash

Setup Logstash as a service

Next we will create a basic logstash configuration (assuming that you will be using Winlogbeats (Next tutorial) to send your data)

If you will be using Winlogbeat to send data use the following logstash configuration: (For this tutorial use the first configuration shown)

Here’s the location for The Logstash configuration: /etc/logstash/conf.d
This is where you would save the following configuration as filename.conf

If you are sending logs using NXlogs you may use the following logstash configuration:

Save the configuration and restart the Logstash service.

Logstash will now listen on port 5044. You may run netstat -plnt to see the listening port:

you should see something similar to this:

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::5044 :::* LISTEN 8595/java

Now you have completed the Elasticsearch (ELK) stack basic setup. On the next tutorial I will go over adding data from a windows system using Winlogbeat and creating Indexes from Kibana.

Leave a Reply

Be the First to Comment!

Notify of