Install Elastic Stack Server
The deployment of the Elastic Stack server involves the installation of Elasticsearch and Kibana services. In the repository of Ansible that Wazuh has we can find the playbooks and roles necessary to carry out the installation. The Ansible server must have access to the Elastic Stack server.
Note
Following the example we started in the previous sections, we have added a second host to the /etc/ansible/hosts file, in this case the operating system is Ubuntu 17 and we need to indicate the path of the Python interpreter.
192.168.0.180 ansible_ssh_user=centos
192.168.0.108 ansible_ssh_user=elk ansible_python_interpreter=/usr/bin/python3
ansible@ansible:/etc/ansible/wazuh-ansible$ ansible all -m ping
.. code-block:: none
:class: output
192.168.0.108 | SUCCESS => {
"changed": false,
"ping": "pong"
}
192.168.0.180 | SUCCESS => {
"changed": false,
"ping": "pong"
}
1 - Access to wazuh-ansible
1.1 - We access the directory where we have cloned the repository from our Ansible server.
ansible@ansible:/etc/ansible/roles/wazuh-ansible$ ls
CHANGELOG.md playbooks README.md roles VERSION
We can see the roles we have.
ansible@ansible:/etc/ansible/roles/wazuh-ansible$ tree roles -d
roles
├── ansible-galaxy
│ └── meta
├── elastic-stack
│ ├── ansible-elasticsearch
│ │ ├── defaults
│ │ ├── handlers
│ │ ├── meta
│ │ ├── tasks
│ │ └── templates
│ └── ansible-kibana
│ ├── defaults
│ ├── handlers
│ ├── meta
│ ├── tasks
│ └── templates
└── wazuh
├── ansible-filebeat
│ ├── defaults
│ ├── handlers
│ ├── meta
│ ├── tasks
│ ├── templates
│ └── tests
├── ansible-wazuh-agent
│ ├── defaults
│ ├── handlers
│ ├── meta
│ ├── tasks
│ ├── templates
│ └── vars
└── ansible-wazuh-manager
├── defaults
├── handlers
├── meta
├── tasks
├── templates
└── vars
And we can see the preconfigured playbooks we have.
ansible@ansible:/etc/ansible/roles/wazuh-ansible$ tree playbooks/
playbooks/
├── wazuh-agent.yml
├── wazuh-elastic_stack-distributed.yml
├── wazuh-elastic_stack-single.yml
├── wazuh-elastic.yml
├── wazuh-kibana.yml
└── wazuh-manager.yml
Using Elasticsearch and Kibana roles we will install and configure the Elastic Stack server components, there are several variables we can use to customize the installation or configuration. To consult the default configuration go to this section.
If we want to change the default configuration we can change the following files:
- /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch/defaults/main.yml
- /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana/defaults/main.yml
We also can create another YAML file only with the content we want to change the configuration for each role. We can find more information here:
Elasticsearch role.
Kibana role.
Let's see below, the content of the playbooks /etc/ansible/wazuh-elastic.yml.
- hosts: <your elasticsearch host>
roles:
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'your elasticsearch IP' }
- hosts: <your kibana host>
roles:
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'your elasticsearch IP' }
These files are designed to run the installations of each service individually.
Let's take a closer look at the content.
The first line hosts: indicates the machines where the commands below will be executed.
The roles: section indicates the roles that will be executed on the hosts.
2 - Preparing the playbook
We could configure these three files and execute them, but we are going to create a single file that executes the installation of the services in our Elastic Stack Server.
ansible@ansible:/etc/ansible/wazuh-ansible$ cat wazuh-elk.yml
- hosts: 192.168.0.108
roles:
- { role: role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-elasticsearch, elasticsearch_network_host: 'localhost' }
- { role: /etc/ansible/roles/wazuh-ansible/roles/elastic-stack/ansible-kibana, elasticsearch_network_host: 'localhost' }
As we can see, we have added the IP address of our Elastic Stack server to the hosts entry.
3 - Running the playbook
It seems that we are ready to run the playbook and start the installation, but some of the operations we will perform on the remote systems will need sudo permissions. We can solve this in several ways, opting to enter the password when Ansible requests it. To contemplate other options we consult the option become (to avoid entering passwords one by one).
3.1 - Let's launch the playbook run.
We use the
-boption to indicate that we are going to become a super user.We use the
-Koption to indicate Ansible to ask for the password.
ansible@ansible:/etc/ansible/roles/wazuh-ansible/playbooks$ ansible-playbook wazuh-elk.yml -b -K
Note
The installation of the Wazuh application for Kibana may take some time.
We will obtain a final result similar to the one shown in the following code block.
TASK [ansible-role-kibana : Make sure Elasticsearch is running before proceeding.] ************************************************************************
ok: [192.168.0.108]
TASK [ansible-role-kibana : Reload systemd] ***************************************************************************************************************
ok: [192.168.0.108]
TASK [ansible-role-kibana : Kibana configuration] *********************************************************************************************************
changed: [192.168.0.108]
TASK [ansible-role-kibana : Checking Wazuh-APP version] ***************************************************************************************************
ok: [192.168.0.108]
TASK [ansible-role-kibana : Removing old Wazuh-APP] *******************************************************************************************************
skipping: [192.168.0.108]
TASK [ansible-role-kibana : Removing bundles] *************************************************************************************************************
skipping: [192.168.0.108]
TASK [ansible-role-kibana : Install Wazuh-APP (can take a while)] *****************************************************************************************
changed: [192.168.0.108]
TASK [ansible-role-kibana : Ensure Kibana started and enabled] ********************************************************************************************
changed: [192.168.0.108]
TASK [ansible-role-kibana : Remove Elasticsearch repository (and clean up left-over metadata)] ************************************************************
skipping: [192.168.0.108]
TASK [ansible-role-kibana : Debian/Ubuntu | Removing Elasticsearch repository] ****************************************************************************
ok: [192.168.0.108]
RUNNING HANDLER [ansible-role-elasticsearch : restart elasticsearch] **************************************************************************************
changed: [192.168.0.108]
RUNNING HANDLER [ansible-role-kibana : restart kibana] ****************************************************************************************************
changed: [192.168.0.108]
PLAY RECAP ************************************************************************************************************************************************
192.168.0.108 : ok=43 changed=23 unreachable=0 failed=0
ansible@ansible:/etc/ansible/wazuh-ansible$
We can check the status of our new services in our Elastic Stack server.
Elasticsearch.
root@elk:/home/elk# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/elasticsearch.service.d
└─elasticsearch.conf
Active: active (running) since Thu 2018-09-13 16:51:59 CEST; 5min ago
Kibana
root@elk:/home/elk# systemctl status kibana.service
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-09-13 16:53:32 CEST; 4min 58s ago
Once the Wazuh API is registered we can access it through our Kibana portal.
