Install Elastic Stack with Debian packages¶
The DEB package is suitable for Debian, Ubuntu and other Debian-based systems.
All the commands described below need to be executed with root user privileges.
- Add the Elastic repository and its GPG key:
# apt-get install curl apt-transport-https # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - # echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list # apt-get update
Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see Elasticsearch.
- Install the Elasticsearch package:
# apt-get install elasticsearch=7.5.1
Elasticsearch will only listen on the loopback interface (localhost) by default. Configure Elasticsearch to listen to a non-loopback address by editing the file
/etc/elasticsearch/elasticsearch.ymland uncommenting the setting
network.host. Change the value to the IP you want to bind it to:
Further configuration will be necessary after changing the
network.hostoption. Add or edit (if commented) the following lines in the file
node.name: <node_name> cluster.initial_master_nodes: ["<node_name>"]
Enable and start the Elasticsearch service:
- For Systemd:# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.service
- For SysV Init:# update-rc.d elasticsearch defaults 95 10 # service elasticsearch start
- Once Elasticsearch is up and running, it is recommended to load the Filebeat template. Run the following command where Filebeat was installed:
# filebeat setup --index-management -E setup.template.json.enabled=false
The Elasticsearch service listens on the default port 9200. You can make a simple check by making the following request:
# curl http://<elasticsearch_ip>:9200
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. Find more information at Kibana.
- Install the Kibana package:
# apt-get install kibana=7.5.1
- Install the Wazuh app plugin for Kibana:
- Install from URL:# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.10.2_7.5.1.zip
- Install from the package:# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install file:///path/wazuhapp-3.10.2_7.5.1.zip
The path should have read permissions for others. E.g: The directory /tmp/ accomplishes this.
- Kibana will only listen on the loopback interface (localhost) by default, which means that it can be only accessed from the same machine. To access Kibana from the outside make it listen on its network IP by editing the file
/etc/kibana/kibana.yml, uncomment the setting
server.host, and change the value to:
- Configure the URLs of the Elasticsearch instances to use for all your queries. By editing the file
- Enable and start the Kibana service:
- For Systemd:# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
- For SysV Init:# update-rc.d kibana defaults 95 10 # service kibana start
- (Optional) Disable the Elasticsearch updates:
It is recommended that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the App. To do this, use the following command:# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list # apt-get update
Alternately, you can set the package state to
hold, which will stop updates (although you can still upgrade it manually using
apt-get install).# echo "elasticsearch hold" | sudo dpkg --set-selections # echo "kibana hold" | sudo dpkg --set-selections
The Kibana service listens on the default port 5601.
Once the Wazuh and Elastic Stack servers are installed and connected, you can install and connect Wazuh agents. Follow this guide and read the instructions for your specific environment.
You can also read the Kibana app user manual to learn more about its features and how to use it.
To uninstall Elasticsearch:
# apt-get remove elasticsearch
There are files marked as configuration and data files. Due to this designation, the package manager doesn’t remove those files from the filesystem. The complete files removal action is a user responsibility. It can be done by removing the folder
To uninstall Kibana:
# apt-get remove kibana
As in the previous case, the complete files removal can be done by removing the folder