Installing Elasticsearch and Kibana on CentOS Stream 9: Tips for Handling SELinux and Firewalld

CentOS tutorial - IT technology blog
CentOS tutorial - IT technology blog

Why You Should Ditch Traditional ‘grep’ for ELK

If you’ve ever stayed up all night running grep to hunt down a single error line buried in 50GB of logs scattered across 5 servers, you know the frustration. When I first started as a SysAdmin, I wasted an entire morning just tracking down the root cause of one minor system error. When our company migrated from CentOS 7 to CentOS Stream 9, I deployed Elasticsearch and Kibana to put an end to that nightmare.

Elasticsearch is a powerful search engine built on Lucene, capable of processing millions of records per second. Kibana serves as the visualization layer, turning raw data into intuitive dashboards and charts. On CentOS Stream 9, SELinux and Firewalld enforce strict security policies. Without a solid grasp of how to configure them, you’ll quickly run into Permission denied or Connection refused errors.

Installing Elasticsearch and Kibana

CentOS 9’s default repositories don’t include Elastic packages. We’ll add the official repository to install the latest 8.x version.

Step 1: Set Up the Repository

First, import the GPG key so the system trusts packages from Elastic:

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Next, create the repo configuration file:

sudo vi /etc/yum.repos.d/elasticsearch.repo

Paste the following content into the file. Note that we’re using version 8.x:

[elasticsearch]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Step 2: Install and Prepare Resources

Install both packages using DNF:

sudo dnf install elasticsearch kibana -y

Warning: Elasticsearch is quite memory-hungry. Make sure your server has at least 4GB of RAM. After installation, the terminal will display the password for the elastic user. Copy it to a safe place immediately — it only appears once.

Real-World Configuration: Overcoming SELinux and Firewalld

This is the most critical part to get a working system in practice, not just on paper.

Configuring Elasticsearch

Open /etc/elasticsearch/elasticsearch.yml. For a single-node setup, adjust the following parameters:

network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node

Setting network.host: 0.0.0.0 makes the node listen on all interfaces. Don’t worry too much about security at this point — we’ll use Firewalld to restrict IP access later.

Handling SELinux Properly

CentOS Stream 9 runs SELinux in Enforcing mode. To prevent Elasticsearch from failing to start due to blocked write permissions on its log and data directories, apply the correct SELinux file contexts:

sudo semanage fcontext -a -t elasticsearch_log_t "/var/log/elasticsearch(/.*)?"
sudo restorecon -Rv /var/log/elasticsearch/
sudo semanage fcontext -a -t elasticsearch_data_t "/var/lib/elasticsearch(/.*)?"
sudo restorecon -Rv /var/lib/elasticsearch/

Opening Ports in Firewalld

Only open the two necessary ports: 9200 (API) and 5601 (Web UI). If possible, use --add-source to restrict access to internal IPs only:

sudo firewall-cmd --permanent --add-port=9200/tcp
sudo firewall-cmd --permanent --add-port=5601/tcp
sudo firewall-cmd --reload

Testing and Enabling Services

Start the services and configure them to run automatically on boot:

sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch kibana

To verify Elasticsearch is up and running, use curl (replace your_password with the actual password):

curl -u elastic -k https://localhost:9200

If you see a JSON response containing "tagline": "You Know, for Search", you’re 90% of the way there.

Accessing the Kibana Interface

Open your browser and navigate to: http://<Server-IP>:5601. Kibana will prompt you for an Enrollment Token. If you forgot to save it during installation, generate a new one with:

sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

Next, to retrieve the verification code from the Kibana logs, run:

sudo journalctl -u kibana | grep "verification code"

Once you’ve entered the code, you’re ready to start shipping logs from Filebeat. Deploying ELK on CentOS 9 not only delivers efficient log management — it’s also a great opportunity to build real security thinking skills through hands-on SELinux configuration. Good luck building your stack, and may you never lose sleep over logs again.

Share: