The RPM packages are suitable for installation on Red Hat, CentOS and other RPM-based systems.
All the commands described below need to be executed with root user privileges.
Add the Elastic repository and its GPG key:
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see Elasticsearch.
Install the Elasticsearch package:
# yum install elasticsearch-7.9.2
Elasticsearch will only listen on the loopback interface (localhost) by default. Configure Elasticsearch to listen to a non-loopback address by editing the file
/etc/elasticsearch/elasticsearch.ymland uncommenting the setting
network.host. Change the value to the IP you want to bind it to:
Further configuration will be necessary after changing the
network.hostoption. Add or edit (if commented) the following lines in the file
node.name: <node_name> cluster.initial_master_nodes: ["<node_name>"]
Enable and start the Elasticsearch service:
For Systemd:# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.service
For SysV Init:# chkconfig --add elasticsearch # service elasticsearch start
Once Elasticsearch is up and running, it is recommended to load the Filebeat template. Run the following command where Filebeat was installed:
As mentioned, this command must be run in the Wazuh server.# filebeat setup --index-management -E setup.template.json.enabled=false
The Elasticsearch service listens on the default port 9200. You can make a simple check by making the following request:
# curl http://<elasticsearch_ip>:9200
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. Find more information at Kibana.
Install the Kibana package:
# yum install kibana-7.9.2
# chown -R kibana:kibana /usr/share/kibana/optimize # chown -R kibana:kibana /usr/share/kibana/plugins
Install the Wazuh app plugin for Kibana:
Install from URL:
# cd /usr/share/kibana/ # sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.6_7.9.2.zip
Install from the package:
# cd /usr/share/kibana/ # sudo -u kibana bin/kibana-plugin install file:///path/wazuhapp-3.13.6_7.9.2.zip
The path should have read permissions for others. E.g: The directory /tmp/ accomplishes this.
Kibana will only listen on the loopback interface (localhost) by default, which means that it can only be accessed from the same machine. To access Kibana from the outside, make it listen on its network interface IP by editing the file
/etc/kibana/kibana.yml, uncomment the setting
server.host, and change the value to:
Set the URL or the IP of the Elasticsearch node by editing the file
For installations on Kibana 7.6.X versions it is recommended to increase the heap size of Kibana to ensure the Kibana's plugins installation:
# cat >> /etc/default/kibana << EOF NODE_OPTIONS="--max_old_space_size=2048" EOF
Enable and start the Kibana service:
For Systemd:# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
For SysV Init:# chkconfig --add kibana # service kibana start
(Optional) Disable the Elasticsearch repository:
It is recommended that the Elasticsearch repository to be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the Wazuh plugin for Kibana. To do this, use the following command:# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
The Kibana service listens on the default port 5601.
Once the Wazuh Manager and the Elastic Stack servers are installed and connected, you can install and connect Wazuh agents. Follow this guide and read the instructions for your specific environment.
You can also read the Kibana app user manual to learn more about its features and how to use it.
To uninstall Elasticsearch:
# yum remove elasticsearch
There are files marked as configuration and data files. Due to this designation, the package manager doesn't remove those files from the filesystem. The complete files removal action is a user responsibility. It can be done by removing the folder
To uninstall Kibana:
# yum remove kibana
As in the previous case, the complete files removal can be done by removing the folder