Elasticsearch is a highly scalable open-source full-text search and analytics engine. It is generally the underlying engine/technology that powers applications with complex search features and requirements. The software supports RESTful operations that allow you to store, search, and analyze significant volumes of data quickly and in near real-time. Elasticsearch is well-liked and popular amongst sysadmins and developers as it is a mighty search engine based on the Lucene library.
In the following tutorial, you will learn how to install Elastic Search on AlmaLinux 8.
Table of Contents
Prerequisites
- Recommended OS: AlmaLinux 8.
- User account: A user account with sudo privilages or root access (su command).
Updating Operating System
Update your AlmaLinux operating system to make sure all existing packages are up to date:
sudo dnf upgrade --refresh -y
The tutorial will be using the sudo command and assuming you have sudo status.
To verify sudo status on your account:
sudo whoami
Example output showing sudo status:
[joshua@localhost ~]$ sudo whoami
root
To set up an existing or new sudo account, visit our tutorial on How to Add a User to Sudoers on AlmaLinux.
To use the root account, use the following command with the root password to log in.
su
Install CURL Package
The CURL command is needed for some parts of this guide. To install this package, type the following command:
sudo dnf install curl -y
Install Java Package
To successfully install and, more importantly, use Elasticsearch, you need to install Java. The process is relatively easy.
Type the following command to install the OpenJDK package:
sudo dnf install java-11-openjdk-devel
Example dependencies that will be installed:
Type “Y”, then press the “ENTER KEY” to proceed with the installation.
Confirm Java has been successfully installed with the following command:
java -version
Example output:
openjdk version "11.0.12" 2021-07-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.12+7-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.12+7-LTS, mixed mode, sharing)
Install Elasticsearch
Elasticsearch is not available in the standard AlmaLinux 8 App stream, so you need to install it from the Elasticsearch RPM repository.
Before adding the repository, import the GPG key with the following command:
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
The next step is to create an Elasticsearch repo file as follows:
sudo nano /etc/yum.repos.d/elasticsearch.repo
Once inside the file, add the following lines:
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
To save (CTRL+O), then exit (CTRL+X).
Now Install Elasticsearch using the following command:
sudo dnf install elasticsearch
Example output:
Type “Y”, then press the “ENTER KEY” to proceed with the installation
By default, the Elasticsearch service is disabled on boot and not active. To start the service and enable it on system boot, type the following (systemctl) command:
sudo systemctl enable elasticsearch.service --now
Example output:
Executing: /usr/lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service.
Verify that Elasticsearch is running correctly by using the curl command to send an HTTP request to port 9200 on localhost as follows:
curl -X GET "localhost:9200/"
Example output:
To view the system message that Elasticsearch logs on your system, type the following command:
sudo journalctl -u elasticsearch
Example output log:
-- Logs begin at Sat 2021-08-21 01:54:10 EDT, end at Sat 2021-08-21 02:11:00 EDT. --
Aug 21 02:09:17 localhost.localdomain systemd[1]: Starting Elasticsearch...
Aug 21 02:09:43 localhost.localdomain systemd[1]: Started Elasticsearch.
How to Configure Elasticsearch
Elasticsearch data is stored in the default directory location (/var/lib/elasticsearch). To view or edit the configuration files, you can find them in the directory location (/etc/elasticsearch), and java start-up options can be configured in the (/etc/default/elasticsearch) configuration file.
The default settings are primarily fine for single operating servers as Elasticsearch runs on localhost only. However, if you are going to set up a cluster, you will need to modify the configuration file to allow remote connections.
Set-up Remote Access (Optional)
By default, Elasticsearch listens only to localhost. To change this, open up the configuration file as follows:
sudo nano /etc/elasticsearch/elasticsearch.yml
Scroll down to line 56 and find the Network section and uncomment (#) the following line and replace it with the Internal Private IP address or External IP address as follows:
In the example, we uncommented (#) the (network.host) and changed it to an Internal Private IP address as above.
For security purposes, it is ideal for specifying addresses; however, if you have multiple Internal or External IP addresses hitting the server change the network interface to listen to all with entering (0.0.0.0) as follows:
Save the configuration file (CTRL+O), then exit (CLTR+X).
You will need to restart the Elasticsearch service with the following command for changes to take effect:
sudo systemctl restart elasticsearch
How to Use Elasticsearch
To use Elasticsearch using the curl command is a straightforward process. Below are some of the most commonly used:
Delete index
Below the index is named samples.
curl -X DELETE 'http://localhost:9200/samples'
List all indexs
curl -X GET 'http://localhost:9200/_cat/indices?v'
List all docs in index
curl -X GET 'http://localhost:9200/sample/_search'
Query using URL parameters
Here we use Lucene query format to write q=school:Harvard.
curl -X GET http://localhost:9200/samples/_search?q=school:Harvard
Query with JSON aka Elasticsearch Query DSL
You can query using parameters on the URL. But you can also use JSON, as shown in the following example. JSON would be easier to read and debug when you have a complex query than one giant string of URL parameters.
curl -XGET --header 'Content-Type: application/json' http://localhost:9200/samples/_search -d '{
"query" : {
"match" : { "school": "Harvard" }
}
}'
List index mapping
All Elasticsearch fields are indexes. So this lists all fields and their types in an index.
curl -X GET http://localhost:9200/samples
Add Data
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/samples/_doc/1 -d '{
"school" : "Harvard"
}'
Update Doc
Here is how to add fields to an existing document. First, we create a new one. Then we update it.
curl -XPUT --header 'Content-Type: application/json' http://localhost:9200/samples/_doc/2 -d '
{
"school": "Clemson"
}'
curl -XPOST --header 'Content-Type: application/json' http://localhost:9200/samples/_doc/2/_update -d '{
"doc" : {
"students": 50000}
}'
Backup index
curl -XPOST --header 'Content-Type: application/json' http://localhost:9200/_reindex -d '{
"source": {
"index": "samples"
},
"dest": {
"index": "samples_backup"
}
}'
Bulk load data in JSON format
export pwd="elastic:"
curl --user $pwd -H 'Content-Type: application/x-ndjson' -XPOST 'https://58571402f5464923883e7be42a037917.eu-central-1.aws.cloud.es.io:9243/0/_bulk?pretty' --data-binary @<file>
Show cluster health
curl --user $pwd -H 'Content-Type: application/json' -XGET https://58571402f5464923883e7be42a037917.eu-central-1.aws.cloud.es.io:9243/_cluster/health?pretty
Aggregation and Bucket Aggregation
For an Nginx web server, this produces web hit counts by user city:
curl -XGET --user $pwd --header 'Content-Type: application/json' https://58571402f5464923883e7be42a037917.eu-central-1.aws.cloud.es.io:9243/logstash/_search?pretty -d '{
"aggs": {
"cityName": {
"terms": {
"field": "geoip.city_name.keyword",
"size": 50
}
}
}
}
'
This expands that to product response code count of the town in an Nginx web server log
curl -XGET --user $pwd --header 'Content-Type: application/json' https://58571402f5464923883e7be42a037917.eu-central-1.aws.cloud.es.io:9243/logstash/_search?pretty -d '{
"aggs": {
"city": {
"terms": {
"field": "geoip.city_name.keyword"
},
"aggs": {
"responses": {
"terms": {
"field": "response"
}
}
}
},
"responses": {
"terms": {
"field": "response"
}
}
}
}'
Using ElasticSearch with Basic Authentication
If you have turned on security with ElasticSearch, then you need to supply the user and password like shown below to every curl command:
curl -X GET 'http://localhost:9200/_cat/indices?v' -u elastic:(password)
Pretty Print
Add ?pretty=true to any search to pretty-print the JSON. Like this:
curl -X GET 'http://localhost:9200/(index)/_search'?pretty=true
To query and return only certain fields
To return only certain fields, put them into the _source array:
GET filebeat-7.6.2-2020.05.05-000001/_search
{
"_source": ["suricata.eve.timestamp","source.geo.region_name","event.created"],
"query": {
"match" : { "source.geo.country_iso_code": "GR" }
}
}
To Query by Date
When the field is of type date, you can use date math, like this:
GET filebeat-7.6.2-2020.05.05-000001/_search
{
"query": {
"range" : {
"event.created": {
"gte" : "now-7d/d"
}
}
}
}
How to Remove (Uninstall) Elasticsearch
If you no longer require Elasticsearch, you can remove the software with the following command:
sudo dnf autoremove elasticsearch
Example output:
Type “Y”, then press the “ENTER KEY” to proceed with the removal of Elasticsearch.
Comments and Conclusion
You have learned how to install Elasticsearch on AlmaLinux 8 from Elasticsearch’s official repository and configure the basics in the tutorial. Overall, ElasticSearch has many popular features, some were mentioned at the start of the tutorial, but others include enabling users to search various fields using a single query. ElasticSearch provides an outstanding level of sharding, which means horizontal scalability, which enhances the performance even with an increase in load.
For further reading, visit the official documentation page.