Linux
This section provides the installation steps for the Unified Flow Collector. Many users get started using ElastiFlow with the Elastic Stack (Elasticsearch and Kibana). To install and configure both the Elastic Stack and the Unified Flow Collector, step-by-step instructions are provided for both Ubuntu/Debian and RedHat/CentOS.
The Unified Flow Collector can be installed natively on Linux. Packages are currently provided for and supported on the Linux distributions and versions listed in the following table.
| Distribution | Versions |
|---|---|
| Ubuntu/Debian | 18.04 LTS, 20.04 LTS, 22.04 LTS |
| RHEL/CentOS | 7.x, 8.x |
Ubuntu/Debian Installation (deb)
The Debian package for the Unified Flow Collector can be downloaded from here. It can be used for installation on most Debian-based systems such as Debian and Ubuntu.
Downloading the .deb Package
The package can be easily downloaded using wget or curl:
wget https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector_6.2.2_linux_amd64.deb
curl https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector_6.2.2_linux_amd64.deb --output flow-collector_6.2.2_linux_amd64.deb
Installing the Package
There are two methods to install the Unified Flow Collector package, apt or dpkg. The collector requires that libpcap-dev also be installed. This dependency will be installed automatically when using apt, but must be install manually if using dpkg.
Using apt
sudo apt install ./flow-collector_6.2.2_linux_amd64.deb
Using dpkg
Verify libpcap-dev is installed:
sudo dpkg-query -l | grep libpcap-dev
If installed the output will look similar to the follow:
ii libpcap-dev:amd64 1.9.1-3 amd64 development library for libpcap (transitional package)
Install the Unified Flow Collector:
sudo dpkg -i flow-collector_6.2.2_linux_amd64.deb
RedHat/CentOS Installation (rpm)
The RPM package for the Unified Flow Collector can be downloaded from here. It can be used for installation on most RedHat-based systems such as RHEL and CentOS.
Downloading the .rpm Package
The package can be easily downloaded using wget or curl:
wget https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector-6.2.2-1.x86_64.rpm
curl https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector-6.2.2-1.x86_64.rpm --output flow-collector-6.2.2-1.x86_64.rpm
Installing the .rpm Package
The Unified Flow Collector package can be installed using yum. The collector requires that libpcap-devel also be installed.
Install libpcap & libpcap-devel on RHEL/CentOS 7.x
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libpcap-1.5.3-12.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libpcap-devel-1.5.3-12.el7.x86_64.rpm
sudo yum install -y ./libpcap-1.5.3-12.el7.x86_64.rpm
sudo yum install -y ./libpcap-devel-1.5.3-12.el7.x86_64.rpm
Install libpcap & libpcap-devel on RHEL/CentOS 8.x
sudo dnf --enablerepo=powertools install libpcap -y
sudo dnf --enablerepo=powertools install libpcap-devel -y
Install/Upgrade the Package
If installing the Unified Flow Collector package for the first time, i.e. NOT upgrading, run the following:
sudo yum install -y flow-collector-6.2.2-1.x86_64.rpm
If upgrading from a previously installed the Unified Flow Collector package, run the following:
sudo rpm -Uhv flow-collector-6.2.2-1.x86_64.rpm
Configuration
The Unified Flow Collector will be installed to run as a daemon manged by systemd. Configuration of the collector is provided via environment variables and, depending on the enabled options, via various configuration files which by default are located within /etc/elastiflow.
To configure the environment variables, edit the file /etc/systemd/system/flowcoll.service.d/flowcoll.conf. For details on all of the configuration options, please refer to the Configuration Reference.
Running the Collector
To start the collector, execute the follow commands:
sudo systemctl daemon-reload && sudo systemctl start flowcoll.service
To ensure the collector has started and is running, execute:
sudo systemctl status flowcoll.service
The collector can be stopped using:
sudo systemctl stop flowcoll.service
If you want the collector to be started automatically when the system is booted, it must be enabled:
sudo systemctl enable flowcoll.service