How to install Logstash on CentOS, RHEL, or Fedora

Installing Logstash on CentOS, RHEL, or Fedora adds a service-managed event pipeline that can collect, transform, and route logs before they land in Elasticsearch, queues, or other downstream systems. Using the packaged install also keeps upgrades, restarts, and failure recovery aligned with the host's normal systemd workflow.

The current Elastic RPM package installs Logstash under /usr/share/logstash, keeps settings in /etc/logstash, stores pipeline definitions through /etc/logstash/conf.d and /etc/logstash/pipelines.yml, and ships a bundled JDK that usually removes the need for a separate Java package. The package also exposes the local monitoring API through the default 9600-9700 range so service and pipeline state can be checked after startup.

Elastic publishes separate repository tracks by major version, so the repo file should point at the intended series such as 9.x. Package installation does not start Logstash automatically or create a working ingest pipeline, and supported distro releases still follow Elastic's support matrix, so older CentOS Linux hosts may need an earlier stack line or a different install method. The current repo also does not work on older RPM v3-era systems such as CentOS 5.

1. Import the Elastic signing key for RPM packages.

   $ sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

   The key import is normally a one-time host setup for Elastic RPM repositories.

2. Create the Logstash repository file at /etc/yum.repos.d/logstash.repo.

   [logstash-9.x]
   name=Elastic repository for 9.x packages
   baseurl=https://artifacts.elastic.co/packages/9.x/yum
   gpgcheck=1
   gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
   enabled=1
   autorefresh=1
   type=rpm-md

   This is the current 9.x repository stanza from Elastic's Logstash install documentation.

3. Install the Logstash package.

   $ sudo dnf install --assumeyes logstash

   Elastic documents the package install as sudo yum install logstash. On current Fedora, RHEL, and CentOS Stream releases, yum typically fronts dnf, so either command reaches the same repository. The transaction output will show either an x86_64 or aarch64 package depending on the host architecture.

   The package includes a bundled JDK. If policy requires a different Java runtime, export LS_JAVA_HOME before installation so the package can build the correct startup integration.

4. Enable and start the Logstash service.

   $ sudo systemctl enable --now logstash.service
   Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service -> /etc/systemd/system/logstash.service.

   Package installation does not start the service automatically.

   Related: How to manage the Logstash service with systemctl in Linux

5. Confirm the installed Logstash version.

   $ /usr/share/logstash/bin/logstash --version
   logstash 9.3.2

   The current RPM package also places the bundled JDK under /usr/share/logstash/jdk.

6. Verify the service is running.

   $ sudo systemctl status logstash.service --no-pager --lines=0
   ● logstash.service - logstash
        Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
        Active: active (running) since Wed 2026-04-08 00:31:57 UTC; 8s ago
      Main PID: 22164 (java)
   ##### snipped #####

   

   Some RPM hosts report the packaged unit from /usr/lib/systemd/system/logstash.service instead, but the active unit name remains logstash.service.

7. Confirm the monitoring API is responding.

   $ curl -s http://127.0.0.1:9600/?pretty
   {
     "host" : "logstash-01",
     "version" : "9.3.2",
     "http_address" : "127.0.0.1:9600",
     "status" : "green"
   }

   The API binds to 127.0.0.1 by default. Current settings use api.http.host and api.http.port in /etc/logstash/logstash.yml, and the default port range is 9600-9700 if 9600 is already in use.

   Related: How to configure Logstash pipelines