Wednesday, February 18, 2015

Install ElasticSearch 1.3 on CentOS 6 for Graylog2 1.0

Graylog2 1.0 requires ElasticSearch 1.3 (or up). To fulfill this requirement, you will need to install ElasticSearch - I recommend on a separate server for environment growth. IOPS on your hard disk matters here.


First, make sure your CentOS 6 is fully patched:
#yum update


Then install Java 1.7:
#yum install java
Make sure that it prompts you to install Java 1.7 (look for the below text):
Installing:
 java-1.7.0-openjdk



Set up the ElasticSearch Repositories and install Elasticsearch 1.3:


Import they key:
#rpm --import https://packages.elasticsearch.org/GPG-KEY-elasticsearch


Create a new repository file in /etc/yum.repos.d/ named elasticsearch.repo with the following contents:
[elasticsearch-1.3]
name=Elasticsearch repository for 1.3.x packages
baseurl=http://packages.elasticsearch.org/elasticsearch/1.3/centos
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
enabled=1


Install ElasticSearch:
#yum install elasticsearch


Add ElasticSearch to boot process:
#chkconfig --add elasticsearch

Stop the elasticsearch service so that we can update the cluster name:
#service elasticsearch stop



Edit the /etc/elasticsearch/elasticsearch.yml file to update your cluster.name variable. Ex:
cluster.name: graylog2_production

Update any additional settings needed and save the file. I recommend updating the path.data and path.logs to custom directories.



Start the elasticsearch service and set it to run on startup:
#service elasticsearch start
#chkconfig elasticsearch on



Check your logs to make sure that it started properly and joined the cluster (if there is an existing one).



For Graylog2, the recommended settings are also to increase the open file limit to at least 64000 as seen in the Configuring and tuning Elasticsearch documentation. I did this by increasing the max number of ulimit open file below.



Edit /etc/sysctl.conf and add the following line at the end:
fs.file-max = 65536



Save the file. Next edit /etc/security/limits.conf and add the following lines:
*               soft    nproc           65535
*               hard    nproc           65535
*               soft    nofile          65535
*               hard    nofile          65535




Save the file and restart the server.
#shutdown -r now



Once restarted, verify that the max open file ulimit has been increased.
# ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 30507
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 65535
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 10240
cpu time               (seconds, -t) unlimited
max user processes              (-u) 65535
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited




Additional recommended settings are to increase the ES_HEAP_SIZE. I did this by editing /etc/init.d/elasticsearch and adding the following line after checkJava under start():
ES_HEAP_SIZE=2g



They recommend that you leave 50% of your memory for other system functions, and I had 4 Gig of RAM, hence the 2g setting.



------
Dustin Shaw
VCP