How to Setup a Basic ELK Stack on Arch linux
ELK (or Elasticsearch, Logstash, Kibana) is a set of three technologies by elastic that can be combined to collect and visualize log data. Think of it as rsyslog on steroids and with pretty colors.
First off, this guide is written using examples from an Arch Linux host. Theoretically, you should be able to follow along on any other distro though. That said, on Arch we recommend: implementing the suggestions from this article on using Arch as a server and using an AUR helper (yay is the go-to choice of the Angry Sysadmins).
Install ElasticSearch
elasticsearch was added to Arch’s official repositories, so installing it is as easy as:
pacman -S elasticsearch
Before starting it, we need to make a few edits to its configuration file.
First, enable cross origin access
echo 'http.cors.allow-origin: "/.*/"' >> /etc/elasticsearch/elasticsearch.yml
echo 'http.cors.enabled: true' >> /etc/elasticsearch/elasticsearch.yml
We also need to make it accessible on the local network
echo 'network.bind_host: 0.0.0.0' >> /etc/elasticsearch/elasticsearch.yml
echo 'node.master: true' >> /etc/elasticsearch/elasticsearch.yml
echo 'node.data: true' >> /etc/elasticsearch/elasticsearch.yml
echo 'transport.host: localhost' >> /etc/elasticsearch/elasticsearch.yml
echo 'transport.tcp.port: 9300' >> /etc/elasticsearch/elasticsearch.yml
The network.bind_host: 0.0.0.0 will allow elasticsearch to accept connections on any of the server’s IP addresses. If you want it to only listen on one, then replace 0.0.0.0 with the desired IP address.
Next, need to edit the Java VM properties and give the JVM more memory.
nano /etc/elasticsearch/jvm.options
Then edit the -Xms (starting memory) and -Xmx (maximum memory) values to 2G or greater (in the example it is 6GB). Making these values different is allowed, but can lead to weird behavior. Consider yourself warned.
-Xms6g
-Xmx6g
Finally, start and enable elasticsearch
systemctl start elasticsearch.service systemctl enable elasticsearch.service
Install Logstash
Like elasticsearch, logstash is in the official Arch repos and can be easily installed with pacman:
pacman -S logstash
Now we need to edit the logstash config to allow logs in to the machine. Any .conf files in /etc/logstash/conf.d/ will be automatically loaded when the service starts. Since we are only setting up basic rules for now, we’ll just make a file called logstash-simple.conf.
nano /etc/logstash/conf.d/logstash-simple.conf
Add the following:
input {
file {
path => "/var/log/faillog"
start_position => beginning
}
# network syslog input
syslog {
host => "0.0.0.0"
port => 514
}
beats {
port => 5044
}
}
output {
elasticsearch { host => localhost }
}
Now start and enable logstash
systemctl start logstash.service
systemctl enable logstash.service
Install Kibana
The last part of the stack to install and setup is Kibana, which, once more, can easily be installed using pacman.
pacman -S kibana
Next, we need to edit Kibana to allow connections inbound
nano /etc/kibana/kibana.yml
Uncomment server.host and set it to 0.0.0.0 or the specific IP address that you want Kibana to listen on. EX:
server.host: "0.0.0.0"
Finally, start and enable Kibana
sudo systemctl start kibana.service sudo systemctl enable kibana.service
Install Nginx as a Reverse Proxy
You should be able to bring up the Kibana interface by going to your server at http://x.x.x.x:5601. In order to access it on port 80, we need to setup Nginx as a reverse proxy. This also allows for better security and, if your Kibana instance is public facing, easy configuration of SSL.
The package can be installed with:
pacman -S nginx
Next, we need apache-tools for htpasswd. We can install it from the AUR.
yay -S apache-tools
Now, we need to edit the Nginx config. The way Arch’s nginx package handles sites by default is a massive single configuration, rather than one file per site. So, open the config and remove the “server” part, which we will replace with our own.
nano /etc/nginx/nginx.conf
Add this
# Nginx proxy for Elasticsearch + Kibana
server {
listen 80;
server_name localhost;
access_log /var/log/nginx-logstash.log;
auth_basic "Restricted Access";
auth_basic_user_file /etc/kibana/htpasswd.users;
location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Next, we need to generate an htpasswd file for basic authentication with the reverse proxy where username is your desired username and password is your desired password.
sudo htpasswd -c -b /etc/kibana/htpasswd.users username password
Finally we start and enable Nginx
sudo systemctl start nginx.service sudo systemctl enable nginx.service
To make sure that everything is working, go to your ELK server’s IP address in a web browser and you should be prompted for a username and password. Once you have signed in, you should see the Kibana web interface.
I couldn’t locate logstash in pacman nor find any other way to install on Arch Linux at the moment.
Any ideas?
It looks like the Arch repos should currently allow you to install Logstash 7.7. So if you’re attempting an install and the package can’t be found, I think your mirrors might be out of date. So you could attempt to force refresh them with
pacman -Sy, and see if the package then shows up when you dopacman -Ss logstash.I had to change `elasticsearch { host => localhost }` to `elasticsearch { hosts => localhost }` otherwise logstash would crash.
Hi, I’ve ran into some issues during Kibana, Logstash configuration, after solving each one I disclosed each issue in my own github repo, that servers as a newly installed manjaro distro setup guide, if you’re reading this and ran into some Kibana and Logstash initialization problems go check it out: https://github.com/Alex3397/every–new-manjaro-setup-config.
Maybe I was able to solve your problem already.
Thanks for sharing! I hope somebody will find it helpful