Wednesday, February 18, 2015

Install ElasticSearch 1.3 on CentOS 6 for Graylog2 1.0

Graylog2 1.0 requires ElasticSearch 1.3 (or up). To fulfill this requirement, you will need to install ElasticSearch - I recommend on a separate server for environment growth. IOPS on your hard disk matters here.

First, make sure your CentOS 6 is fully patched:
#yum update

Then install Java 1.7:
#yum install java
Make sure that it prompts you to install Java 1.7 (look for the below text):

Set up the ElasticSearch Repositories and install Elasticsearch 1.3:

Import they key:
#rpm --import

Create a new repository file in /etc/yum.repos.d/ named elasticsearch.repo with the following contents:
name=Elasticsearch repository for 1.3.x packages

Install ElasticSearch:
#yum install elasticsearch

Add ElasticSearch to boot process:
#chkconfig --add elasticsearch

Stop the elasticsearch service so that we can update the cluster name:
#service elasticsearch stop

Edit the /etc/elasticsearch/elasticsearch.yml file to update your variable. Ex: graylog2_production

Update any additional settings needed and save the file. I recommend updating the and path.logs to custom directories.

Start the elasticsearch service and set it to run on startup:
#service elasticsearch start
#chkconfig elasticsearch on

Check your logs to make sure that it started properly and joined the cluster (if there is an existing one).

For Graylog2, the recommended settings are also to increase the open file limit to at least 64000 as seen in the Configuring and tuning Elasticsearch documentation. I did this by increasing the max number of ulimit open file below.

Edit /etc/sysctl.conf and add the following line at the end:
fs.file-max = 65536

Save the file. Next edit /etc/security/limits.conf and add the following lines:
*               soft    nproc           65535
*               hard    nproc           65535
*               soft    nofile          65535
*               hard    nofile          65535

Save the file and restart the server.
#shutdown -r now

Once restarted, verify that the max open file ulimit has been increased.
# ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 30507
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 65535
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 10240
cpu time               (seconds, -t) unlimited
max user processes              (-u) 65535
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

Additional recommended settings are to increase the ES_HEAP_SIZE. I did this by editing /etc/init.d/elasticsearch and adding the following line after checkJava under start():

They recommend that you leave 50% of your memory for other system functions, and I had 4 Gig of RAM, hence the 2g setting.

Dustin Shaw

No comments:

Post a Comment