Install Elastic Stack with RPM packages

The RPM packages are suitable for installation on Red Hat, CentOS and other RPM-based systems.

Note

All the commands described below need to be executed with root user privileges.

Preparation

  1. Add the Elastic repository and its GPG key:
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Elasticsearch

Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see Elasticsearch.

  1. Install the Elasticsearch package:
# yum install elasticsearch-7.9.1
  1. Elasticsearch will only listen on the loopback interface (localhost) by default. Configure Elasticsearch to listen to a non-loopback address by editing the file /etc/elasticsearch/elasticsearch.yml and uncommenting the setting network.host. Change the value to the IP you want to bind it to:

    network.host: <elasticsearch_ip>
    
  2. Further configuration will be necessary after changing the network.host option. Add or edit (if commented) the following lines in the file /etc/elasticsearch/elasticsearch.yml:

    node.name: <node_name>
    cluster.initial_master_nodes: ["<node_name>"]
    
  3. Enable and start the Elasticsearch service:

  1. For Systemd:
# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service
  1. For SysV Init:
# chkconfig --add elasticsearch
# service elasticsearch start
  1. Once Elasticsearch is up and running, it is recommended to load the Filebeat template. Run the following command where Filebeat was installed:

Note

As mentioned, this command must be run in the Wazuh server.

# filebeat setup --index-management -E setup.template.json.enabled=false

Note

The Elasticsearch service listens on the default port 9200. You can make a simple check by making the following request:

# curl http://<elasticsearch_ip>:9200

Kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. Find more information at Kibana.

  1. Install the Kibana package:

    # yum install kibana-7.9.1
    
  2. Update the optimize and plugins directories permissions:

    # chown -R kibana:kibana /usr/share/kibana/optimize
    # chown -R kibana:kibana /usr/share/kibana/plugins
    
  3. Install the Wazuh app plugin for Kibana:

    • Install from URL:
    # cd /usr/share/kibana/
    # sudo -u kibana bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.13.2_7.9.1.zip
    
    • Install from the package:
    # cd /usr/share/kibana/
    # sudo -u kibana bin/kibana-plugin install file:///path/wazuhapp-3.13.2_7.9.1.zip
    

Note

The path should have read permissions for others. E.g: The directory /tmp/ accomplishes this.

  1. Kibana will only listen on the loopback interface (localhost) by default, which means that it can only be accessed from the same machine. To access Kibana from the outside, make it listen on its network interface IP by editing the file /etc/kibana/kibana.yml, uncomment the setting server.host, and change the value to:
server.host: "<kibana_ip>"
  1. Set the URL or the IP of the Elasticsearch node by editing the file /etc/kibana/kibana.yml:
elasticsearch.hosts: ["http://<elasticsearch_ip>:9200"]
  1. For installations on Kibana 7.6.X versions it is recommended to increase the heap size of Kibana to ensure the Kibana’s plugins installation:
# cat >> /etc/default/kibana << EOF
NODE_OPTIONS="--max_old_space_size=2048"
EOF
  1. Enable and start the Kibana service:
  1. For Systemd:
# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service
  1. For SysV Init:
# chkconfig --add kibana
# service kibana start
  1. (Optional) Disable the Elasticsearch repository:

It is recommended that the Elasticsearch repository to be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the Wazuh plugin for Kibana. To do this, use the following command:

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

Note

The Kibana service listens on the default port 5601.

Next steps

Once the Wazuh Manager and the Elastic Stack servers are installed and connected, you can install and connect Wazuh agents. Follow this guide and read the instructions for your specific environment.

You can also read the Kibana app user manual to learn more about its features and how to use it.

Uninstall

To uninstall Elasticsearch:

# yum remove elasticsearch

There are files marked as configuration and data files. Due to this designation, the package manager doesn’t remove those files from the filesystem. The complete files removal action is a user responsibility. It can be done by removing the folder /var/lib/elasticsearch and /etc/elasticsearch.

To uninstall Kibana:

# yum remove kibana

As in the previous case, the complete files removal can be done by removing the folder /var/lib/kibana and /etc/kibana.