All the commands described below need to be executed with root user privileges.
Elasticsearch's cluster feature allows configuring a group of server nodes working together to grant a higher availability service and a data loss prevention mechanism. In case any of the nodes fails, the rest will recover its information.
In this example, a cluster of three nodes will be configured, which is the minimum number of nodes recommended.
First of all, it is necessary to configure all Elasticsearch nodes as previously done at Elastic Stack installation guide.
Once all Elasticsearch machines are up and running, the following configuration is required on each of them by editing
/etc/elasticsearch/elasticsearch.ymlto set up the cluster:
cluster.name: elastic-cluster node.name: <node_name> network.host: <elasticsearch_ip> discovery.seed_hosts: - <elasticsearch_ip_node1> - <elasticsearch_ip_node2> - <elasticsearch_ip_node3> cluster.initial_master_nodes: - <master_node_1> - <master_node_2> - <master_node_3>
To apply the changes, restart Elasticsearch:
For systemd:# systemctl restart elasticsearch.service
For SysV Init:# service elasticsearch.service restart
It is necessary to modify the Filebeat configuration file located at
/etc/filebeat/filebeat.ymlwhere Filebeat was installed.
output.elasticsearch: hosts: ['http://<elasticsearch_ip_node1>:9200','http://<elasticsearch_ip_node2>:9200','http://<elasticsearch_ip_node3>:9200'] loadbalance: true
Restart the Filebeat service:
For systemd:# systemctl restart filebeat.service
For SysV Init:# service filebeat.service restart
Once the Elasticsearch cluster is working, it is recommended to load the Filebeat template. Run the following command where Filebeat was installed:
# filebeat setup --index-management -E setup.template.json.enabled=false
Configure the URLs of the Elasticsearch instances to use for all your queries. By editing the file
All nodes listed here must be on the same cluster.
Restart the Kibana service:
For systemd:# systemctl restart kibana.service
For SysV Init:# service kibana.service restart
Once the Wazuh and Elastic Stack servers are installed and connected, you can install and connect Wazuh agents. Follow this guide and read the instructions for your specific environment.