Elasticsearch - ELK stack

======================================================================================================================================================

Upgrade version of elasticsearch on Linux

Stop running elasticsearch
systemctl stop elasticsearch

# With seperated config and logs:
cd /opt
rm -rf elasticsearch
tar xvzf elasticsearch-8.x.x-linux-aarch64.tar.gz
rm -rf elasticsearch-8.x.x/jdk
mv elasticsearch-8.x.x elasticsearch
rm /var/log/elasticsearch/*
chown -R elasticsearch:elasticsearch /opt/elasticsearch


systemctl start elasticsearch

#Check the health of the cluster
curl --user elastic:<PASSWORD> -X GET http://localhost:9200/_cat/health?v

curl --user elastic:<PASSWORD> -X GET http://localhost:9200/_cat/indices?v

======================================================================================================================================================

Upgrade version of Kibana on Windows PC/Laptop

Remove the old folder (like C:\Temp\kibana)

Properties zip file "unblock" content flag
Rename to short name and place directly under c:\ (otherwise there are path lenght problems while extracting)

unzip via windows Zip the file  (location like: C:\Kibana.zip)

Move the Kibana directory to another location/map

Edit config\kibana.yml 
server.port: 5601
server.host: "<Your PC name in WIndows"
#elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.hosts: ["http://<IPADDRESS ELASTICSEARCH SERVER>:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "<Password>"
# Maybe 15 minutes is not enough and make it 1 hour: 3600000
xpack.reporting.queue.timeout: 3600000
# Maybe 100MB is not enough..
xpack.reporting.csv.maxSizeBytes: 104857600
# And change for reporting the timezone to "UTC" in "Stack Management"->"Advanced settings"

Start Kibana via the bin\kibana.bat

======================================================================================================================================================

New version 8.x.x of ELK
========================
tar xvzf elasticsearch-8.x.x-linux-aarch64.tar.gz
rm -rf jdk
chown -R elasticsearch:elasticsearch /opt/elasticsearch-8..

export ES_JAVA_HOME=/etc/alternatives/jre

Edit elasticsearch.yml (Initial setup...further below the current config)
cluster.name: <Your clustername>
node.name: <Your hostname>
network.host: [127.0.0.1,<IPADDRESS>]
http.port: 9200
discovery.seed_hosts: ["127.0.0.1", "<IPADDRESS>"]
node.roles: [master, data, ingest]
xpack.security.enabled: true
discovery.type: single-node
xpack.ml.enabled: false
path.repo: backups

cd /opt/elasticsearch-8..
cp -p -r /var/lib/elasticsearch data

./bin/elasticsearch -d

Switch off rsyslog module omelasticsearch (_type problem..maybe solved by now..?)
Edit the scipts in /root/ELK/ (look for _doc and remove it; _type is no longer supported)

=========================

-----------------------------------------------------------------------

Place elasticsearch on redberry server.
========================================================================
yum install perl-JSON-PP jq
yum install java-latest-openjdk-headless.armv7hl

 

groupadd -g 124 elasticsearch
useradd -u 116 -g elasticsearch -G users -c "ElasticSearch" -d /opt/elasticsearch -m elasticsearch
tar xvzf elasticsearch-8.x.x-linux-aarch64.tar.gz
mv elasticsearch-8.x.x. /opt/elasticsearch
cd /opt/elasticsearch/
rm -rf jdk
chown -R elasticsearch:elasticsearch /opt/elasticsearch

#vi bin/elasticsearch-env
#ES_JAVA_HOME=/etc/alternatives/jre

vi config/elasticsearch.yml

cluster.name: <CLustername>
node.name: <Hostname>
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: [127.0.0.1,<IPADDRESS>]
http.port: 9200

discovery.seed_hosts: ["127.0.0.1", "<IPADDRESS>"]
node.roles: [master, data, ingest]
xpack.security.enabled: true
discovery.type: single-node
xpack.ml.enabled: false
path.repo: /var/lib/elasticsearch/backups
xpack.security.authc.api_key.enabled: true

vi config/jvm.options
## GC logging
#-Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m

vi config/jvm.options.d/unix4life.options
-Xms400m
-Xmx550m
-Dlog4j2.formatMsgNoLookups=true
-Xlog:all=warning:stderr:utctime,level,tags
-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
-Xlog:disable

vi config/log4j2.properties
#rootLogger.level = info
rootLogger.level = error
#logger.deprecation.level = deprecation   => Gives POSSIBLE shit with shards: .ds-.logs-deprecation.elasticsearch-default-<date>...
logger.deprecation.level = OFF

 

iptables -I IN_public_allow -p tcp -m tcp --destination-port 9200 -j ACCEPT
firewall-cmd --zone=public --add-port=9200/tcp
firewall-cmd --zone=public --add-port=9200/tcp --permanent


vi /usr/lib/systemd/system/elasticsearch.service

[Unit]
Description=Run ElasticSearch as user elasticsearch
DefaultDependencies=no
After=network.target

[Install]
WantedBy=multi-user.target

[Service]
Type=simple
User=elasticsearch
Group=elasticsearch
Environment="ES_PATH_CONF=/etc/elasticsearch/config"
Environment="ES_JAVA_HOME=/etc/alternatives/jre"
WorkingDirectory=/opt/elasticsearch
ExecStart=/opt/elasticsearch/bin/elasticsearch -d -p /opt/elasticsearch/elasticsearch.pid
TimeoutStartSec=60
RemainAfterExit=yes

 


chown -R elasticsearch:elasticsearch /opt/elasticsearch/
chown -R elasticsearch:elasticsearch /var/log/elasticsearch/
chown -R elasticsearch:elasticsearch /var/lib/elasticsearch/

chmod 660 /etc/elasticsearch/config/*.yml

systemctl daemon-reload
systemctl enable elasticsearch

# Set passwords
systemctl start elasticsearch
su - elasticsearch
export ES_PATH_CONF=/etc/elasticsearch/config
export ES_JAVA_HOME=/usr/lib/jvm/java-17-openjdk-17.0.1.0.12-1.rolling.el7.arm
./bin/elasticsearch-setup-passwords interactive

export ES_PATH_CONF=/etc/elasticsearch/config
export ES_JAVA_HOME=/usr/lib/jvm/java-17-openjdk-17.0.1.0.12-1.rolling.el7.arm
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-17.0.1.0.12-1.rolling.el7.arm
bin/elasticsearch-sql-cli http://elastic:<PASSWORD>@localhost:9200

 

 

Enable Elasticsearch security featuresedit
Add the xpack.security.enabled setting to the ES_PATH_CONF/elasticsearch.yml file and set the value to true:
xpack.security.enabled: true

Re-start elasticsearch

Create passwords for built-in usersedit
You only need to set passwords for the elastic and kibana_system users when enabling minimal or basic security.

./bin/elasticsearch-setup-passwords interactive
root@unix4life:/opt/elasticsearch# ./bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y

Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

 

Check of your elasticsearch query to see if it all works...

curl --user elastic:<PASSWORD> -X GET http://localhost:9200/_cat/indices?v
health status index       uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .security-7 HIeZfpFgSDexxHucNImLaA   1   0          7            0     25.3kb         25.3kb

 

 

  Donate now via the Paypal button on the top in US Dollar and on the bottom in Euro