Linux

:::tip This section provides the installation steps for the ElastiFlow Unified Flow Collector. Many users get started using ElastiFlow with the Elastic Stack (Elasticsearch and Kibana). To install and configure both the Elastic Stack and the ElastiFlow Unified Flow Collector, step-by-step instructions are provided for both Ubuntu/Debian and RedHat/CentOS. :::

The ElastiFlow Unified Flow Collector can be installed natively on Linux. Packages are currently provided for and supported on the Linux distributions and versions listed in the following table.

Distribution

Versions

Ubuntu/Debian

18.04 LTS, 20.04 LTS, 22.04 LTS

RHEL/CentOS

7.x, 8.x

Ubuntu/Debian Installation (deb)

The Debian package for the Unified Flow Collector can be downloaded from here. It can be used for installation on most Debian-based systems such as Debian and Ubuntu.

Download the `.deb` Package

The package can be downloaded using either the wget or curl command:

wget https://elastiflow-releases.s3.us-east-2.amazonaws.com/flow-collector/flow-collector_6.4.2_linux_amd64.deb

curl https://elastiflow-releases.s3.us-east-2.amazonaws.com/flow-collector/flow-collector_6.4.2_linux_amd64.deb --output flow-collector_6.4.2_linux_amd64.deb

Verify the Package

Checksum Verification

To ensure the downloaded file was fully downloaded and wasn't corrupted or tampered with, you can verify the provided checksum matches.

# get checksum of the downloaded file:
sha256sum flow-collector_6.4.2_linux_amd64.deb

# verify the checksum provided from the previous command matches the checksum here:
https://elastiflow-releases.s3.us-east-2.amazonaws.com/flow-collector/flow-collector_6.4.2_linux_amd64.deb.sha256

GPG Verification

ElastiFlow signs the Debian package with a GNU Privacy Guard (GPG) key. To verify the Debian package, download and import the ElastiFlow GPG public key:

# import public key into gpg keychain
curl -o- https://elastiflow-releases.s3.us-east-2.amazonaws.com/elastiflow.pgp | gpg --import -
# trust the public key
echo "6A2E26EFDE24AA7A634A442ED5C0572E5D212F6B:6:" | gpg --import-ownertrust

Next, download the signature file:

curl -SLO https://elastiflow-releases.s3.us-east-2.amazonaws.com/flow-collector/flow-collector_6.4.2_linux_amd64.deb.sig

Finally, verify the file with the signature:

gpg --verify flow-collector_6.4.2_linux_amd64.deb.sig flow-collector_6.4.2_linux_amd64.deb

Ensure that `libpcap-dev` is Installed

The collector requires libpcap-dev. Check if the libpcap-dev package is installed:

sudo dpkg-query -l | grep libpcap-dev

If installed, the output will look similar to the follow:

ii  libpcap-dev:amd64      1.9.1-3      amd64      development library for libpcap (transitional package)

If it is not present, install it:

apt install libpcap-dev

Install the `.deb` Package

There are two methods to install the Unified Flow Collector package, apt or dpkg.

Install with apt

sudo apt install ./flow-collector_6.4.2_linux_amd64.deb

Install with dpkg

sudo dpkg -i flow-collector_6.4.2_linux_amd64.deb

RedHat/CentOS Installation (rpm)

The RPM package for the Unified Flow Collector can be downloaded from here. It can be used for installation on most RedHat-based systems such as RHEL and CentOS.

Download the `.rpm` Package

The package can be easily downloaded using wget or curl:

wget https://elastiflow-releases.s3.us-east-2.amazonaws.com/flow-collector/flow-collector-6.4.2-1.x86_64.rpm

curl https://elastiflow-releases.s3.us-east-2.amazonaws.com/flow-collector/flow-collector-6.4.2-1.x86_64.rpm --output flow-collector-6.4.2-1.x86_64.rpm

Verify the Package

Checksum Verification

To ensure the downloaded file was fully downloaded and wasn't corrupted or tampered with, you can verify the provided checksum matches.

# get checksum of the downloaded file:
sha256sum flow-collector-6.4.2-1.x86_64.rpm

# verify the checksum provided from the previous command matches the checksum here:
https://elastiflow-releases.s3.us-east-2.amazonaws.com/flow-collector/flow-collector-6.4.2-1.x86_64.rpm.sha256

GPG Verification

ElastiFlow signs the RPM package with a GNU Privacy Guard (GPG) key. To verify the RPM package, download and import the ElastiFlow GPG public key:

# import public key into gpg keychain
curl -o- https://elastiflow-releases.s3.us-east-2.amazonaws.com/elastiflow.pgp | gpg --import -
# trust the public key
echo "6A2E26EFDE24AA7A634A442ED5C0572E5D212F6B:6:" | gpg --import-ownertrust
# import public key into rpm trust store
rpm --import https://elastiflow-releases.s3.us-east-2.amazonaws.com/elastiflow.pgp

Next, download the signature file:

curl -SLO https://elastiflow-releases.s3.us-east-2.amazonaws.com/flow-collector/flow-collector-6.4.2-1.x86_64.rpm.sig

Finally, verify the file with the signature:

gpg --verify flow-collector-6.4.2-1.x86_64.rpm.sig flow-collector-6.4.2-1.x86_64.rpm

Ensure that `libpcap-dev` is Installed

The Unified Flow Collector package can be installed using yum. The collector requires that libpcap-devel also be installed.

Installing libpcap & libpcap-devel on RHEL/CentOS 7.x

wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libpcap-1.5.3-12.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libpcap-devel-1.5.3-12.el7.x86_64.rpm

sudo yum install -y ./libpcap-1.5.3-12.el7.x86_64.rpm
sudo yum install -y ./libpcap-devel-1.5.3-12.el7.x86_64.rpm

Installing libpcap & libpcap-devel on RHEL/CentOS 8.x

sudo dnf --enablerepo=powertools install libpcap -y
sudo dnf --enablerepo=powertools install libpcap-devel -y

Install/Upgrade the `.rpm` Package

If installing the Unified Flow Collector package for the first time, i.e. NOT upgrading, run the following:

sudo yum install -y flow-collector-6.4.2-1.x86_64.rpm

If upgrading from a previously installed Unified Flow Collector package, run the following:

sudo rpm -Uhv flow-collector-6.4.2-1.x86_64.rpm

Configuration

The Unified Flow Collector will be installed to run as a daemon manged by systemd. Configuration of the collector is provided via environment variables and, depending on the enabled options, via various configuration files which by default are located within /etc/elastiflow.

To configure the environment variables, edit the file /etc/systemd/system/flowcoll.service.d/flowcoll.conf. For details on all of the configuration options, please refer to the Configuration Reference.

:::tip At a minimum the Unified Flow Collector must point to a valid data store. Additionally, source flows need to be pointed to the Unified Flow Collector so it can pass those along to the data store. The most common installation uses Elasticsearch and Kibana as the data store.

To install and configure both the Elastic Stack and the ElastiFlow Unified Flow Collector, step-by-step instructions are provided for both Ubuntu/Debian and RedHat/CentOS. :::

Running the Collector

To start the collector, execute the follow commands:

sudo systemctl daemon-reload && sudo systemctl start flowcoll.service

To ensure the collector has started and is running, execute:

sudo systemctl status flowcoll.service

The collector can be stopped using:

sudo systemctl stop flowcoll.service

If you want the collector to be started automatically when the system is booted, it must be enabled:

sudo systemctl enable flowcoll.service

PreviousDocker NextUnified Flow Collector Introduction

Ubuntu/Debian Installation (deb)

Download the .deb Package

Verify the Package

Ensure that libpcap-dev is Installed

Install the .deb Package

RedHat/CentOS Installation (rpm)

Download the .rpm Package

Verify the Package

Ensure that libpcap-dev is Installed

Install/Upgrade the .rpm Package

Configuration

Running the Collector

Download the `.deb` Package

Ensure that `libpcap-dev` is Installed

Install the `.deb` Package

Download the `.rpm` Package

Ensure that `libpcap-dev` is Installed

Install/Upgrade the `.rpm` Package