The ELKBeats Stack: E is for Elasticsearch

Read the first item in this Table of Contents if you haven't been here before.

Table of Contents


Installing Elasticsearch

As this product is also from elastic.co, much of this will sound familiar (the prerequisites):

# apt-get update ;  apt-get install elasticsearch

This is also a large package (30+MB), but not so large as logstash.

Your configuration file is /etc/elasticsearch/elasticsearch.yaml, and in this case they do supply an example file. The settings recommended by the linode guide:

node.name: myserver
cluster.name: mytest
discovery.zen.ping.multicast.enabled: false
index.number_of_replicas: 0

Elasticsearch thinks big: it assumes it's going to be a node in a big cluster of Elasticsearch servers. It also likes to go find local nodes to join. So give your node a name, and name the cluster something unique so it won't join someone else's node with the default name.

Their reasons are based on more knowledge than I have, but at the same time the first setting is the only one already present in the example file, and the third setting doesn't even appear to be in the current documentation.

To run by hand:

# /usr/share/elasticsearch/bin/elasticsearch

Seriously?! You put your binaries under /usr/share/? Possibly the only package in history to do that. At least logstash put itself in /opt/ - much saner.

Running the binary on console gets an error dump about logging not being set up correctly, and the program immediately exits. So let's try running it as a service - it's a package, that's the way you're supposed to do it:

# systemctl start elasticsearch

Given that it's Java-based, I'd give it a few seconds to start before trying this test:

$ wget localhost:9200
...
Saving to: ‘index.html’
...

Note that by default this URL is only available locally - you can't get it from a remote machine. The response page that wget saved to index.html is actually JSON:

{
  "name" : "myserver",
  "cluster_name" : "mytest",
  "version" : {
    "number" : "2.2.0",
    "build_hash" : "8ff36d139e16f8720f2947ef62c8167a888992fe",
    "build_timestamp" : "2016-01-27T13:32:39Z",
    "build_snapshot" : false,
    "lucene_version" : "5.4.1"
  },
  "tagline" : "You Know, for Search"
}

If you see this, you're up and running. Make it a permanent service:

# systemctl enable elasticsearch

This ensures elasticsearch will be running after the machine is rebooted.

Elasticsearch logs to the /var/log/elasticsearch/ folder.


Continue to The ELKBeats Stack: K is for Kibana, the next article in this series.