How to Set Up the ELK Stack on RHEL 7
The ELK Stack — Elasticsearch, Logstash, and Kibana — is the industry-standard open-source solution for centralised log management and analysis. Elasticsearch stores and indexes log data at scale, Logstash ingests and transforms log streams from any source, and Kibana provides a powerful web UI for searching, visualising, and alerting on that data. Adding Filebeat as a lightweight shipper on your application servers completes the pipeline without the overhead of running a full Logstash agent everywhere. This guide walks through installing and configuring the complete ELK 7.x stack on a single RHEL 7 server using the official Elastic YUM repository.
Prerequisites
- RHEL 7 server with at least 4 GB of RAM (8 GB recommended for production)
- At least 30 GB of free disk space for log storage
- Java 11 or later — Elasticsearch 7.x bundles its own JDK, but Logstash requires a separate JVM
- Root or sudo access
- Ports 9200, 9300 (Elasticsearch), 5601 (Kibana), and 5044 (Beats input) accessible as needed
Step 1: Add the Elastic YUM Repository
Elastic publishes an official RPM repository for all its products. Import the GPG signing key and create a single repo file that covers Elasticsearch, Logstash, and Kibana:
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
cat > /etc/yum.repos.d/elasticsearch.repo <<'EOF'
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOFStep 2: Install Elasticsearch
Install Elasticsearch from the repository, then enable and start the service:
yum install -y elasticsearch
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearchVerify Elasticsearch is responding on its default port:
curl -s http://localhost:9200
# Expected output includes "name", "cluster_name", "version" fieldsConfigure Elasticsearch
Edit /etc/elasticsearch/elasticsearch.yml to configure the cluster for single-node operation and bind to the correct network interface. The most important settings for a standalone ELK server are:
# /etc/elasticsearch/elasticsearch.yml
cluster.name: elk-cluster
node.name: elk-node-1
# Data and log paths (defaults work fine; shown for reference)
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
# Bind to all interfaces so Kibana can connect; restrict with firewall rules
network.host: 0.0.0.0
http.port: 9200
# Single-node discovery — required when running without a cluster
discovery.type: single-node
# Disable X-Pack security for a simple internal setup
xpack.security.enabled: falseAfter editing, restart Elasticsearch:
systemctl restart elasticsearch
systemctl status elasticsearchStep 3: Install Logstash
Install Logstash. Because it runs on the JVM, also install OpenJDK 11 which Logstash 7.x requires:
yum install -y java-11-openjdk logstash
systemctl enable logstashCreate a Logstash Pipeline Configuration
Logstash pipelines are defined in files placed under /etc/logstash/conf.d/. The following pipeline accepts log lines from Filebeat on port 5044, parses them with a grok pattern, and forwards the structured events to Elasticsearch. Create the pipeline file:
cat > /etc/logstash/conf.d/filebeat-pipeline.conf <<'EOF'
input {
beats {
port => 5044
}
}
filter {
if [fields][log_type] == "nginx_access" {
grok {
match => {
"message" => '%{COMBINEDAPACHELOG}'
}
}
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
geoip {
source => "clientip"
}
mutate {
remove_field => ["message", "timestamp"]
}
}
if [fields][log_type] == "syslog" {
grok {
match => {
"message" => '%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}'
}
}
date {
match => ["syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss"]
target => "@timestamp"
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
# Uncomment for debugging:
# stdout { codec => rubydebug }
}
EOFStart and check Logstash:
systemctl start logstash
systemctl status logstash
# Logstash takes 30-60 seconds to fully initialise — check /var/log/logstash/logstash-plain.logOpen port 5044 in the firewall so Filebeat agents on remote hosts can connect:
firewall-cmd --permanent --add-port=5044/tcp
firewall-cmd --reloadStep 4: Install and Configure Kibana
Install Kibana from the same Elastic repository:
yum install -y kibana
systemctl enable kibanaEdit /etc/kibana/kibana.yml to configure the server address and the Elasticsearch connection:
# /etc/kibana/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
server.name: "elk-server"
elasticsearch.hosts: ["http://localhost:9200"]
# Optional: set a log file path
logging.dest: /var/log/kibana/kibana.logCreate the log directory, start Kibana, and open its firewall port:
mkdir -p /var/log/kibana
chown kibana:kibana /var/log/kibana
systemctl start kibana
systemctl status kibana
firewall-cmd --permanent --add-port=5601/tcp
firewall-cmd --reloadKibana can take 60–90 seconds to start. Once it is up, browse to http://<server-ip>:5601.
Step 5: Install and Configure Filebeat on Application Servers
Filebeat is a lightweight log shipper that runs on each server whose logs you want to collect. Install it from the same Elastic repository on your application hosts:
yum install -y filebeat
systemctl enable filebeatEdit /etc/filebeat/filebeat.yml. Comment out the default Elasticsearch output and configure the Logstash output instead:
# /etc/filebeat/filebeat.yml (key sections only)
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
fields:
log_type: nginx_access
fields_under_root: false
- type: log
enabled: true
paths:
- /var/log/messages
fields:
log_type: syslog
fields_under_root: false
# Disable direct Elasticsearch output
output.elasticsearch:
enabled: false
# Send to Logstash
output.logstash:
enabled: true
hosts: ["elk-server.example.com:5044"]Start Filebeat:
systemctl start filebeat
systemctl status filebeatStep 6: Create the Kibana Index Pattern
Before you can search logs in Kibana you must define an index pattern that tells Kibana which Elasticsearch indices to query.
- Open the Kibana UI at
http://<server-ip>:5601. - Click the hamburger menu and navigate to Management > Stack Management > Index Patterns.
- Click Create index pattern.
- Enter
filebeat-*as the pattern and click Next step. - Select
@timestampas the time field and click Create index pattern.
Step 7: Explore Logs in the Discover View
Click the compass icon (Discover) in the left sidebar. Select the filebeat-* index pattern from the dropdown. You will see a histogram of incoming log volume and a list of log events below it. Use the search bar to filter by field values — for example, response:500 to find HTTP 500 errors, or syslog_program:sshd to view SSH authentication events.
Click any event row to expand it and inspect all parsed fields. Save useful searches and pin them to a dashboard to build a real-time operations view for your team.
Conclusion
You now have a fully operational ELK stack running on RHEL 7. Elasticsearch stores and indexes your log data, Logstash parses and enriches incoming streams with grok patterns, Kibana surfaces that data in a searchable, visual interface, and Filebeat provides a lightweight, low-overhead shipper that runs beside your applications. From this foundation you can add additional Logstash filters for other log formats, configure Kibana alerting rules to notify your team when error rates spike, or deploy Elasticsearch index lifecycle management policies to automatically archive or delete old data and control storage costs.
