Beginning Elastic Stack - Installing Elastic 7.9 on Ubuntu 20.04
By Securitynik on 2020-10-05 12:53:29
In this post, we are installing Elastic Stack version 7.9 on Ubuntu 20.04. I would like to think this process should work for versions just prior to 7.9 and may also work for versions just after.
root@securitynik-monitoring:~# lsb_release --all
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal
First step, let's update the server, ensuring we have all the necessary updates.
root@securitynik-monitoring:~# apt-get update && apt-get upgrade -y
Now that the server is up-to-date, let's install Elasticsearch.
Import Elasticsearch PGP Key. This will be used throughout our install for the rest of the components.
root@securitynik-monitoring:~# wget -qO - | sudo apt-key add -
Now install the the "apt-transport-https" package and save the repository definition.
root@securitynik-monitoring:~# apt-get install apt-transport-https
root@securitynik-monitoring:~# echo "deb stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
deb stable main
With the dependencies installed, time to install Elasticsearch.
root@securitynik-monitoring:~# apt-get update && apt-get install elasticsearch
Get:1 stable/main amd64 elasticsearch amd64 7.9.2 [317 MB]
Fetched 317 MB in 10s (32.3 MB/s)
Selecting previously unselected package elasticsearch.
(Reading database ... 87809 files and directories currently installed.)
Preparing to unpack .../elasticsearch_7.9.2_amd64.deb ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Unpacking elasticsearch (7.9.2) ...
Setting up elasticsearch (7.9.2) ...
Created elasticsearch keystore in /etc/elasticsearch/elasticsearch.keystore
Processing triggers for systemd (245.4-4ubuntu3.2) ...
With Elasticsearch now installed, switch to the Elasticsearch configuration directory and modify the "elasticsearch.yml" file. My practice before modifying any configuration file, is to make a copy of it.
root@securitynik-monitoring:/etc/elasticsearch# cd /etc/elasticsearch/
root@securitynik-monitoring:/etc/elasticsearch# cp elasticsearch.yml elasticsearch.yml.ORIGINAL
Here are the values I un-commented and modified to reflect my environment.
root@securitynik-monitoring:~# cat /etc/elasticsearch/elasticsearch.yml | grep --perl-regexp "|||http.port|discovery.seed_hosts|cluster.initial.master_nodes" securitynik.local elastic-
http.port: 9200
discovery.seed_hosts: [""]
cluster.initial_master_nodes: [""]
Enable and start the Elasticsearch service via "systemctl".
root@securitynik-monitoring:/etc/elasticsearch# systemctl enable --now elasticsearch.service
Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/ → /lib/systemd/system/elasticsearch.service.
Verify that the service is running via "systemctl"
root@securitynik-monitoring:~# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2020-08-13 23:05:07 UTC; 4min 27s ago
   Main PID: 18392 (java)
      Tasks: 44 (limit: 4563)
     Memory: 1.2G
     CGroup: /system.slice/elasticsearch.service
             ├─18392 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkad>
             └─18588 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Aug 13 23:04:12 securitynik-monitoring systemd[1]: Starting Elasticsearch...
Aug 13 23:05:07 securitynik-monitoring systemd[1]: Started Elasticsearch.
From above we, we see the service is "active (running)". We can further confirm the service is available by leveraging "ss" or "netstat" command, looking for the listening ports.
root@securitynik-monitoring:/etc/elasticsearch# ss --numeric --listen --process --tcp --udp
Netid State  Recv-Q  Send-Q          Local Address:Port   Peer Address:Port Process
tcp   LISTEN 0       4096     [::ffff:]:9200              *:*     users:(("java",pid=18392,fd=267))
tcp   LISTEN 0       4096     [::ffff:]:9300              *:*     users:(("java",pid=18392,fd=253))
So far everything suggests we have installed Elasticsearch successfully. Let's now confirm this by connecting to the Elasticsearch URL.
root@securitynik-monitoring:/etc/elasticsearch# curl --request GET --verbose "" --header "User-Agent:"
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying
* Connected to ( port 9200 (#0)
> GET /?pretty HTTP/1.1
> Host:
> Accept: */*
> User-Agent:
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 529
  "name" : "elastic-",
  "cluster_name" : "securitynik.local",
  "cluster_uuid" : "_na_",
  "version" : {
    "number" : "7.9.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
    "build_date" : "2020-07-21T16:40:44.668009Z",
    "build_snapshot" : false,
    "lucene_version" : "8.6.2",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  "tagline" : "You Know, for Search"
* Connection #0 to host left intact
Good stuff! All the tests suggest we have successfully installed Elasticsearch.
See you in the next post where we install and configure Kibana.
Posts in this series: