Ps - this is still in progress
🧱 OFFLINE ELK 9.2 ARCHITECTURE (RPM BASED)
Server Role RPMs needed
es01 Elasticsearch elasticsearch-9.2.x-x86_64.rpm
ls01 Logstash logstash-9.2.x-x86_64.rpm
kb01 Kibana kibana-9.2.x-x86_64.rpm
🔴 STEP 1 — COMMON OS PREP (ALL 3 SERVERS)
1.1 Login as root
sudo -i
1.2 Set hostname
hostnamectl set-hostname es01 # ES server
hostnamectl set-hostname ls01 # Logstash server
hostnamectl set-hostname kb01 # Kibana server
Re-login after this.
1.3 /etc/hosts (MANDATORY)
vi /etc/hosts
10.10.10.11 es01
10.10.10.12 ls01
10.10.10.13 kb01
1.4 Disable swap
swapoff -a
sed -i '/swap/d' /etc/fstab
1.5 Kernel tuning
cat
vm.max_map_count=262144
fs.file-max=2097152
EOF
sysctl --system
Verify:
sysctl vm.max_map_count
1.6 Firewall
Elasticsearch
firewall-cmd --add-port=9200/tcp --permanent
firewall-cmd --add-port=9300/tcp --permanent
Logstash
firewall-cmd --add-port=5044/tcp --permanent
Kibana
firewall-cmd --add-port=5601/tcp --permanent
firewall-cmd --reload
🔴 STEP 2 — INSTALL ELASTICSEARCH (RPM ONLY) — es01
2.1 Copy RPM
scp elasticsearch-9.2.*.rpm root@es01:/opt/
2.2 Install RPM (NO REPO)
cd /opt
dnf localinstall elasticsearch-9.2.*.rpm -y
✔ User elasticsearch is created automatically
✔ Systemd service is created
2.3 Create cert directory
mkdir -p /etc/elasticsearch/certs
chown elasticsearch:elasticsearch /etc/elasticsearch/certs
chmod 750 /etc/elasticsearch/certs
2.4 Generate CA (OFFLINE)
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
Press ENTER → creates:
elastic-stack-ca.p12
Move:
mv elastic-stack-ca.p12 /etc/elasticsearch/certs/
2.5 Generate HTTP cert
/usr/share/elasticsearch/bin/elasticsearch-certutil http
Answer EXACTLY:
CSR? no
Use existing CA yes
CA path /etc/elasticsearch/certs/elastic-stack-ca.p12
Validity 3650
Hostname es01
IP 10.10.10.11
Extract:
unzip elasticsearch-ssl-http.zip
cp elasticsearch/http.p12 /etc/elasticsearch/certs/
2.6 Generate transport cert
/usr/share/elasticsearch/bin/elasticsearch-certutil cert \
--ca /etc/elasticsearch/certs/elastic-stack-ca.p12
mv elastic-certificates.p12 /etc/elasticsearch/certs/transport.p12
Permissions:
chown elasticsearch:elasticsearch /etc/elasticsearch/certs/*
chmod 600 /etc/elasticsearch/certs/*
2.7 Configure Elasticsearch
vi /etc/elasticsearch/elasticsearch.yml
cluster.name: prod-cluster
node.name: es01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/http.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/transport.p12
xpack.security.transport.ssl.verification_mode: certificate
2.8 Start Elasticsearch
systemctl daemon-reexec
systemctl enable elasticsearch
systemctl start elasticsearch
2.9 Set passwords
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system
✔ SAVE THEM
2.10 Verify ES
curl -k -u elastic https://es01:9200
🔴 STEP 3 — INSTALL LOGSTASH (RPM ONLY) — ls01
3.1 Copy RPM
scp logstash-9.2.*.rpm root@ls01:/opt/
3.2 Install
cd /opt
dnf localinstall logstash-9.2.*.rpm -y
3.3 Copy CA from ES
mkdir -p /etc/logstash/certs
scp root@es01:/etc/elasticsearch/certs/elastic-stack-ca.p12 /etc/logstash/certs/
3.4 Logstash keystore
/usr/share/logstash/bin/logstash-keystore create
/usr/share/logstash/bin/logstash-keystore add ES_PWD
Paste elastic password
3.5 Logstash pipeline
vi /etc/logstash/conf.d/beats.conf
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["https://es01:9200"]
user => "elastic"
password => "${ES_PWD}"
cacert => "/etc/logstash/certs/elastic-stack-ca.p12"
}
}
3.6 Start Logstash
systemctl enable logstash
systemctl start logstash
🔴 STEP 4 — INSTALL KIBANA (RPM ONLY) — kb01
4.1 Copy RPM
scp kibana-9.2.*.rpm root@kb01:/opt/
4.2 Install
cd /opt
dnf localinstall kibana-9.2.*.rpm -y
4.3 Copy CA
scp root@es01:/etc/elasticsearch/certs/elastic-stack-ca.p12 /etc/kibana/
4.4 Configure Kibana
vi /etc/kibana/kibana.yml
server.host: "0.0.0.0"
server.port: 5601
elasticsearch.hosts: ["https://es01:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "PASTE_PASSWORD"
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elastic-stack-ca.p12"]
4.5 Start Kibana
systemctl enable kibana
systemctl start kibana
Access:
🔴 STEP 5 — FINAL CHECKS
Component Command
ES curl -k -u elastic https://es01:9200
LS `ss -lntp
KB Browser UI
Security HTTPS + login
THIS IS THE CORRECT WAY FOR RPM-ONLY INSTALLS
No repos
No internet
No missing steps
No shortcuts
If you want next (step-by-step again):
Filebeat on IBM AIX
Mutual TLS
HA ES (3 nodes)
SELinux enforcement
Hardening checklist
Please let me know in the comments.
More...
🧱 OFFLINE ELK 9.2 ARCHITECTURE (RPM BASED)
Server Role RPMs needed
es01 Elasticsearch elasticsearch-9.2.x-x86_64.rpm
ls01 Logstash logstash-9.2.x-x86_64.rpm
kb01 Kibana kibana-9.2.x-x86_64.rpm
🔴 STEP 1 — COMMON OS PREP (ALL 3 SERVERS)
1.1 Login as root
sudo -i
1.2 Set hostname
hostnamectl set-hostname es01 # ES server
hostnamectl set-hostname ls01 # Logstash server
hostnamectl set-hostname kb01 # Kibana server
Re-login after this.
1.3 /etc/hosts (MANDATORY)
vi /etc/hosts
10.10.10.11 es01
10.10.10.12 ls01
10.10.10.13 kb01
1.4 Disable swap
swapoff -a
sed -i '/swap/d' /etc/fstab
1.5 Kernel tuning
cat
vm.max_map_count=262144
fs.file-max=2097152
EOF
sysctl --system
Verify:
sysctl vm.max_map_count
1.6 Firewall
Elasticsearch
firewall-cmd --add-port=9200/tcp --permanent
firewall-cmd --add-port=9300/tcp --permanent
Logstash
firewall-cmd --add-port=5044/tcp --permanent
Kibana
firewall-cmd --add-port=5601/tcp --permanent
firewall-cmd --reload
🔴 STEP 2 — INSTALL ELASTICSEARCH (RPM ONLY) — es01
2.1 Copy RPM
scp elasticsearch-9.2.*.rpm root@es01:/opt/
2.2 Install RPM (NO REPO)
cd /opt
dnf localinstall elasticsearch-9.2.*.rpm -y
✔ User elasticsearch is created automatically
✔ Systemd service is created
2.3 Create cert directory
mkdir -p /etc/elasticsearch/certs
chown elasticsearch:elasticsearch /etc/elasticsearch/certs
chmod 750 /etc/elasticsearch/certs
2.4 Generate CA (OFFLINE)
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
Press ENTER → creates:
elastic-stack-ca.p12
Move:
mv elastic-stack-ca.p12 /etc/elasticsearch/certs/
2.5 Generate HTTP cert
/usr/share/elasticsearch/bin/elasticsearch-certutil http
Answer EXACTLY:
CSR? no
Use existing CA yes
CA path /etc/elasticsearch/certs/elastic-stack-ca.p12
Validity 3650
Hostname es01
IP 10.10.10.11
Extract:
unzip elasticsearch-ssl-http.zip
cp elasticsearch/http.p12 /etc/elasticsearch/certs/
2.6 Generate transport cert
/usr/share/elasticsearch/bin/elasticsearch-certutil cert \
--ca /etc/elasticsearch/certs/elastic-stack-ca.p12
mv elastic-certificates.p12 /etc/elasticsearch/certs/transport.p12
Permissions:
chown elasticsearch:elasticsearch /etc/elasticsearch/certs/*
chmod 600 /etc/elasticsearch/certs/*
2.7 Configure Elasticsearch
vi /etc/elasticsearch/elasticsearch.yml
cluster.name: prod-cluster
node.name: es01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/http.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: certs/transport.p12
xpack.security.transport.ssl.verification_mode: certificate
2.8 Start Elasticsearch
systemctl daemon-reexec
systemctl enable elasticsearch
systemctl start elasticsearch
2.9 Set passwords
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system
✔ SAVE THEM
2.10 Verify ES
curl -k -u elastic https://es01:9200
🔴 STEP 3 — INSTALL LOGSTASH (RPM ONLY) — ls01
3.1 Copy RPM
scp logstash-9.2.*.rpm root@ls01:/opt/
3.2 Install
cd /opt
dnf localinstall logstash-9.2.*.rpm -y
3.3 Copy CA from ES
mkdir -p /etc/logstash/certs
scp root@es01:/etc/elasticsearch/certs/elastic-stack-ca.p12 /etc/logstash/certs/
3.4 Logstash keystore
/usr/share/logstash/bin/logstash-keystore create
/usr/share/logstash/bin/logstash-keystore add ES_PWD
Paste elastic password
3.5 Logstash pipeline
vi /etc/logstash/conf.d/beats.conf
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["https://es01:9200"]
user => "elastic"
password => "${ES_PWD}"
cacert => "/etc/logstash/certs/elastic-stack-ca.p12"
}
}
3.6 Start Logstash
systemctl enable logstash
systemctl start logstash
🔴 STEP 4 — INSTALL KIBANA (RPM ONLY) — kb01
4.1 Copy RPM
scp kibana-9.2.*.rpm root@kb01:/opt/
4.2 Install
cd /opt
dnf localinstall kibana-9.2.*.rpm -y
4.3 Copy CA
scp root@es01:/etc/elasticsearch/certs/elastic-stack-ca.p12 /etc/kibana/
4.4 Configure Kibana
vi /etc/kibana/kibana.yml
server.host: "0.0.0.0"
server.port: 5601
elasticsearch.hosts: ["https://es01:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "PASTE_PASSWORD"
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/elastic-stack-ca.p12"]
4.5 Start Kibana
systemctl enable kibana
systemctl start kibana
Access:
🔴 STEP 5 — FINAL CHECKS
Component Command
ES curl -k -u elastic https://es01:9200
LS `ss -lntp
KB Browser UI
Security HTTPS + login
THIS IS THE CORRECT WAY FOR RPM-ONLY INSTALLS
No repos
No internet
No missing steps
No shortcuts
If you want next (step-by-step again):
Filebeat on IBM AIX
Mutual TLS
HA ES (3 nodes)
SELinux enforcement
Hardening checklist
Please let me know in the comments.
More...