Linux
This section provides the installation steps for the ElastiFlow™ Unified Collector. Many users get started using ElastiFlow™ with the Elastic Stack (Elasticsearch and Kibana). To install and configure both the Elastic Stack and the ElastiFlow™ Unified Collector, step-by-step instructions are provided for both Ubuntu/Debian and RedHat/CentOS.
The ElastiFlow™ Unified Collector can be installed natively on Linux. Packages are currently provided for and supported on the Linux distributions and versions listed in the following table.
| Distribution | Versions |
|---|---|
| Ubuntu/Debian | 18.04 LTS, 20.04 LTS |
| RHEL/CentOS | 7.x, 8.x |
Ubuntu/Debian Installation (deb)
The Debian package for the Unified Collector can be downloaded from here. It can be used for installation on most Debian-based systems such as Debian and Ubuntu.
Downloading the .deb Package
The package can be easily downloaded using wget or curl:
wget https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector_6.0.1_linux_amd64.deb
curl https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector_6.0.1_linux_amd64.deb --output flow-collector_6.0.1_linux_amd64.deb
Installing the Package
There are two methods to install Unified Collector package, apt or dpkg. The collector requires that libpcap-dev also be installed. This dependency will be installed automatically when using apt, but must be install manually if using dpkg.
Using apt
sudo apt install ./flow-collector_6.0.1_linux_amd64.deb
Using dpkg
Verify libpcap-dev is installed:
sudo dpkg-query -l | grep libpcap-dev
If installed the output will look similar to the follow:
ii libpcap-dev:amd64 1.9.1-3 amd64 development library for libpcap (transitional package)
Install the Unified Collector:
sudo dpkg -i flow-collector_6.0.1_linux_amd64.deb
RedHat/CentOS Installation (rpm)
The RPM package for the Unified Collector can be downloaded from here. It can be used for installation on most RedHat-based systems such as RHEL and CentOS.
Downloading the .rpm Package
The package can be easily downloaded using wget or curl:
wget https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector-6.0.1-1.x86_64.rpm
curl https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector-6.0.1-1.x86_64.rpm --output flow-collector-6.0.1-1.x86_64.rpm
Installing the .rpm Package
The Unified Collector package can be installed using yum. The collector requires that libpcap-devel also be installed.
Install libpcap & libpcap-devel on RHEL/Centos 7.x
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libpcap-1.5.3-12.el7.x86_64.rpm
wget http://mirror.centos.org/centos/7/os/x86_64/Packages/libpcap-devel-1.5.3-12.el7.x86_64.rpm
sudo yum install -y ./libpcap-1.5.3-12.el7.x86_64.rpm
sudo yum install -y ./libpcap-devel-1.5.3-12.el7.x86_64.rpm
Install libpcap & libpcap-devel on RHEL/Centos 8.x
sudo dnf --enablerepo=powertools install libpcap -y
sudo dnf --enablerepo=powertools install libpcap-devel -y
Install/Upgrade the Package
If installing the Unified Collector package for the first time, i.e. NOT upgrading, run the following:
sudo yum install -y flow-collector-6.0.1-1.x86_64.rpm
If upgrading from a previously installed Unified Collector package, run the following:
sudo rpm -Uhv flow-collector-6.0.1-1.x86_64.rpm
Configuration
The Unified Collector will be installed to run as a daemon manged by systemd. Configuration of the collector is provided via environment variables and, depending on the enabled options, via various configuration files which by default are located within /etc/elastiflow.
To configure the environment variables, edit the file /etc/systemd/system/flowcoll.service.d/flowcoll.conf. For details on all of the configuration options, please refer to the Configuration Reference.
Running the Collector
To start the collector, execute the follow commands:
sudo systemctl daemon-reload && sudo systemctl start flowcoll.service
To ensure the collector has started and is running, execute:
sudo systemctl status flowcoll.service
The collector can be stopped using:
sudo systemctl stop flowcoll.service
If you want the collector to be started automatically when the system is booted, it must be enabled:
sudo systemctl enable flowcoll.service