How does ELK works

ELK stack provides a powerful platform to index, search and analyze your data. It uses  Logstash for log aggregation, Elasticsearch for searching, and Kibana for visualizing and analyzing data. In short, ELK stack:

  • Collect logs and events data (Logstash)
  • Make it searchable in fast and meaningful ways (Elasticsearch)
  • Use powerful analytics to summarize data across many dimensions (Kibana)


Install ELK

Note that you have to install the consistent version of all the stack software, eg. 5.02 elasticsearch will not work with 5.22 Kibana.

Here I will take the latest version 5.2.2 (as of 2017/03/27) as example.

Install the Elasticsearch

Elasticsearch requires Java 8 or later. Use the official Oracle distribution or an open-source distribution such as OpenJDK.

Import the Elasticsearch PGP Key

We sign all of our packages with the Elasticsearch Signing Key (PGP key D88E42B4, available from with fingerprint:

4609 5ACC 8548 582C 1A26 99A9 D27D 666C D88E 42B4

Download and install the public signing key:

rpm –import

Installing from the RPM repository

Create a file called elasticsearch.repo in the /etc/yum.repos.d/ directory for RedHat based distributions, or in the /etc/zypp/repos.d/ directory for OpenSuSE based distributions, containing:

name=Elasticsearch repository for 5.x packages

And your repository is ready for use. You can now install Elasticsearch :

sudo yum install elasticsearch
Manual install
sha1sum elasticsearch-5.2.2.rpm 
sudo rpm -iv elasticsearch-5.2.2.rpm

Preparing packages...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

Then we enable the service start on system startup and start the service:

[root@localhost elasticsearch]# sudo systemctl daemon-reload
[root@localhost elasticsearch]# sudo systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/elasticsearch.service.
[root@localhost elasticsearch]# sudo systemctl start elasticsearch.service

To check the logging info of systemd:

To tail the journal:

sudo journalctl -f

To list journal entries for the elasticsearch service:

sudo journalctl --unit elasticsearch

To list journal entries for the elasticsearch service starting from a given time:

sudo journalctl --unit elasticsearch --since  "2016-10-30 18:17:16"

If you are not sure the location of the configuration file, check it in the process:

[root@localhost elasticsearch]# ps -ef | grep elasticsearch
elastic+ 101064      1 38 10:53 ?        00:00:12 /bin/java -Xms2g -Xmx2g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly 
-XX:+DisableExplicitGC -XX:+AlwaysPreTouch -server -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true 
-Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true 
-Dlog4j.skipJansi=true -XX:+HeapDumpOnOutOfMemoryError -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-5.2.2.jar:/usr/share/elasticsearch/lib/* 
org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/ --quiet -Edefault.path.logs=/var/log/elasticsearch 
root     101154 100478  0 10:54 pts/3    00:00:00 grep --color=auto elasticsearch

The important info here is:

  • default.path.conf=/etc/elasticsearch
  • default.path.logs=/var/log/elasticsearch
  • Des.path.home=/usr/share/elasticsearch