Elastic Stack Deployment
Environment
elasticsearch-01
10.30.185.200
elasticsearch-02
10.30.185.201
elasticsearch-03
10.30.185.202
elasticsearch-04
10.30.185.203
elasticsearch-05
10.30.185.204
kibana-01
10.30.185.205
Configure Elasticsearch
1. Add Parameters Required by Elasticsearch (all ES nodes)
Elasticsearch uses a mmapfs directory by default to store its indices. The Linux default limits on mmaps is usually too low, which can result in out-of-memory exceptions. This limit should be raised to 262144.
Run the following command to add the file /etc/sysctl.d/70-elasticsearch.conf with the attribute vm.max_map_count=262144:
echo "vm.max_map_count=262144" | sudo tee /etc/sysctl.d/70-elasticsearch.conf > /dev/null2. Tune Network Parameters (all ES nodes)
The default Linux network parameters are not optimal for high throughput applications, in particular a high volume of ingress UDP packets. This can result in dropped packets and lost data. Linux network performance for ElastiFlow can optimized by changing the parameters below.
Run the following command to add the file /etc/sysctl.d/60-net.conf with the recommended changes.
echo -e "net.core.netdev_max_backlog=4096\nnet.core.rmem_default=262144\nnet.core.rmem_max=67108864\nnet.ipv4.udp_rmem_min=131072\nnet.ipv4.udp_mem=2097152 4194304 8388608" | sudo tee /etc/sysctl.d/60-net.conf > /dev/null3. Apply Changes (all ES nodes)
For changes to the above parameters to take effect the system can be restarted. Alternatively the following commands can be run to apply the changes without a reboot:
sudo sysctl -w vm.max_map_count=262144 && \
sudo sysctl -w net.core.netdev_max_backlog=4096 && \
sudo sysctl -w net.core.rmem_default=262144 && \
sudo sysctl -w net.core.rmem_max=67108864 && \
sudo sysctl -w net.ipv4.udp_rmem_min=131072 && \
sudo sysctl -w net.ipv4.udp_mem='2097152 4194304 8388608'4. Configure JVM Heap Size (all ES nodes)
If a JVM is started with unequal initial and max heap sizes, it may pause as the JVM heap is resized during system usage. For this reason it’s best to start the JVM with the initial and maximum heap sizes set to equal values.
Add the file heap.options to /etc/elasticsearch/jvm.options.d and set -Xms and -Xmx to about one third of the system memory, but do not exceed 31g. For this example we will use 12GB of the available 32GB of memory for JVM heap.
echo -e "-Xms12g\n-Xmx12g" | sudo tee /etc/elasticsearch/jvm.options.d/heap.options > /dev/null5. Increase System Limits (all ES nodes)
Increased system limits should be specified in a systemd attributes file for the elasticsearch service.
sudo mkdir /etc/systemd/system/elasticsearch.service.d && \
echo -e "[Service]\nLimitNOFILE=131072\nLimitNPROC=8192\nLimitMEMLOCK=infinity\nLimitFSIZE=infinity\nLimitAS=infinity" | \
sudo tee /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf > /dev/null6. Copy Certificates to Elasticsearch Configuration Path
Copy TLS certificates to /etc/elasticsearch/certs.
7. Edit elasticsearch.yml (all ES nodes)
Edit the Elasticsearch configuration file, /etc/elasticsearch/elasticsearch.yml, replacing the contents of the file with the provided configurations.
NOTE: If you want Elasticsearch data to be stored on a different mount point, you must first create the directory and assign permissions to
elasticsearch. For example, to store data on/mnt/data0, runsudo mkdir /mnt/data0/elasticsearch && sudo chown -R elasticsearch:elasticsearch /mnt/data0/elasticsearch. Then edit thepath.dataoption inelasticsearch.ymlspecifying this path.
8. Enable and Start Elasticsearch Master Nodes
Execute the following commands on elasticsearch-01, elasticsearch-02 and elasticsearch-03 to start Elsticsearch and enable it run automatically when the server boots:
sudo systemctl daemon-reload && \
sudo systemctl enable elasticsearch && \
sudo systemctl start elasticsearchConfirm Elasticsearch started successfully by executing:
sudo systemctl status elasticsearch9. Set Passwords for Elasticsearch Built-in Accounts
Execute the following command on one of the running Elasticsearch nodes to setup passwords for the various built-in accounts:
sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactiveThe following will be displayed:
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]Answer y, then enter and confirm passwords for the built-in Elasticsearch accounts.
10. Verify Elasticsearch
Ensure that the Elasticsearch REST API is available by running the following:
curl -XGET -k "https://elastic:PASSWORD@10.30.185.200:9200"The output should be similar to the following:
{
"name" : "elasticsearch-01",
"cluster_name" : "elastiflow",
"cluster_uuid" : "S5Y3Z2USSq2sR2TyOkLe3A",
"version" : {
"number" : "8.7.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "66b55ebfa59c92c15db3f69a335d500018b3331e",
"build_date" : "2021-08-26T09:01:05.390870785Z",
"build_snapshot" : false,
"lucene_version" : "8.9.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}11. Enable and Start Elasticsearch Data Nodes
Execute the following commands on elasticsearch-04 and elasticsearch-05 to start Elasticsearch and enable it run automatically when the server boots:
sudo systemctl daemon-reload && \
sudo systemctl enable elasticsearch && \
sudo systemctl start elasticsearchConfigure Kibana
1. Copy CA and Certificates
Copy TLS certificates to /etc/kibana/certs.
2. Edit kibana.yml
Edit the Kibana configuration file /etc/kibana/kibana.yml, replacing the contents of the file with the provided configuration. Edit as necessary for your environment (especially elasticsearch.password).
4. Enable and Start Kibana
Execute the following commands:
sudo systemctl daemon-reload && \
sudo systemctl enable kibana && \
sudo systemctl start kibanaConfirm Kibana started successfully by executing:
sudo systemctl status kibanaYou should now be able to access Kibana at https://10.30.185.205:5601.