:::tip This section provides the installation steps for the ElastiFlow Unified Flow Collector. Many users get started using ElastiFlow with the Elastic Stack (Elasticsearch and Kibana). To install and configure both the Elastic Stack and the ElastiFlow Unified Flow Collector, step-by-step instructions are provided for both Ubuntu/Debian and RedHat/CentOS. :::
The ElastiFlow Unified Flow Collector can be installed natively on Linux. Packages are currently provided for and supported on the Linux distributions and versions listed in the following table.
Ubuntu/Debian
18.04 LTS, 20.04 LTS, 22.04 LTS
RHEL/CentOS
7.x, 8.x
The Debian package for the Unified Flow Collector can be downloaded from . It can be used for installation on most Debian-based systems such as Debian and Ubuntu.
.deb PackageThe package can be downloaded using either the wget or curl command:
Checksum Verification
To ensure the downloaded file was fully downloaded and wasn't corrupted or tampered with, you can verify the provided checksum matches.
GPG Verification
ElastiFlow signs the Debian package with a GNU Privacy Guard (GPG) key. To verify the Debian package, download and import the ElastiFlow GPG public key:
Next, download the signature file:
Finally, verify the file with the signature:
libpcap-dev is InstalledThe collector requires libpcap-dev. Check if the libpcap-dev package is installed:
If installed, the output will look similar to the follow:
If it is not present, install it:
.deb PackageThere are two methods to install the Unified Flow Collector package, apt or dpkg.
Install with apt
Install with dpkg
.rpm PackageThe package can be easily downloaded using wget or curl:
Checksum Verification
To ensure the downloaded file was fully downloaded and wasn't corrupted or tampered with, you can verify the provided checksum matches.
GPG Verification
ElastiFlow signs the RPM package with a GNU Privacy Guard (GPG) key. To verify the RPM package, download and import the ElastiFlow GPG public key:
Next, download the signature file:
Finally, verify the file with the signature:
libpcap-dev is InstalledThe Unified Flow Collector package can be installed using yum. The collector requires that libpcap-devel also be installed.
Installing libpcap & libpcap-devel on RHEL/CentOS 7.x
Installing libpcap & libpcap-devel on RHEL/CentOS 8.x
.rpm PackageIf installing the Unified Flow Collector package for the first time, i.e. NOT upgrading, run the following:
If upgrading from a previously installed Unified Flow Collector package, run the following:
The Unified Flow Collector will be installed to run as a daemon manged by systemd. Configuration of the collector is provided via environment variables and, depending on the enabled options, via various configuration files which by default are located within /etc/elastiflow.
To configure the environment variables, edit the file /etc/systemd/system/flowcoll.service.d/flowcoll.conf. For details on all of the configuration options, please refer to the Configuration Reference.
:::tip At a minimum the Unified Flow Collector must point to a valid data store. Additionally, source flows need to be pointed to the Unified Flow Collector so it can pass those along to the data store. The most common installation uses Elasticsearch and Kibana as the data store.
To install and configure both the Elastic Stack and the ElastiFlow Unified Flow Collector, step-by-step instructions are provided for both Ubuntu/Debian and RedHat/CentOS. :::
To start the collector, execute the follow commands:
To ensure the collector has started and is running, execute:
The collector can be stopped using:
If you want the collector to be started automatically when the system is booted, it must be enabled:
The RPM package for the Unified Flow Collector can be downloaded from . It can be used for installation on most RedHat-based systems such as RHEL and CentOS.