Install Elastic Stack with RPM packages
The RPM packages are suitable for installation on Red Hat, CentOS and other RPM-based systems.
Note
Many of the commands described below need to be executed with root user privileges.
Preparation
Oracle Java JRE 8 is required by Logstash and Elasticsearch.
Note
The following command accepts the necessary cookies to download Oracle Java JRE. Please, visit Oracle Java 8 JRE Download Page for more information.
# curl -Lo jre-8-linux-x64.rpm --header "Cookie: oraclelicense=accept-securebackup-cookie" "https://download.oracle.com/otn-pub/java/jdk/8u172-b11/a58eab1ec242421181065cdc37240b08/jre-8u172-linux-x64.rpm"Now, check if the package was download successfully:
# rpm -qlp jre-8-linux-x64.rpm > /dev/null 2>&1 && echo "Java package downloaded successfully" || echo "Java package did not download successfully"Finally, install the RPM package using yum:
# yum install jre-8-linux-x64.rpm # rm jre-8-linux-x64.rpm
Install the Elastic repository and its GPG key:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-6.x] name=Elasticsearch repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Elasticsearch
Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see Elasticsearch.
Install the Elasticsearch package:
# yum install elasticsearch-6.2.4
Enable and start the Elasticsearch service:
For Systemd:
# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.service
For SysV Init:
# chkconfig --add elasticsearch # service elasticsearch startIt's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:
# curl localhost:9200/?pretty { "name" : "5urh-FJ", "cluster_name" : "elasticsearch", "cluster_uuid" : "B5rXKBg2Tr-KWwFdbDHJQg", "version" : { "number" : "6.2.4", "build_hash" : "7299dc3", "build_date" : "2018-02-07T19:34:26.990113Z", "build_snapshot" : false, "lucene_version" : "7.2.1", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" }
Load the Wazuh template for Elasticsearch:
# curl https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -XPUT 'http://localhost:9200/_template/wazuh' -H 'Content-Type: application/json' -d @-
Note
It is recommended that the default configuration be edited to improve the performance of Elasticsearch. To do so, please see Elasticsearch tuning.
Logstash
Logstash is the tool that collects, parses, and forwards data to Elasticsearch for indexing and storage of all logs generated by the Wazuh server. For more information, please see Logstash.
Install the Logstash package:
# yum install logstash-6.2.4
Download the Wazuh configuration file for Logstash:
Local configuration (only in a single-host architecture):
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/logstash/01-wazuh-local.conf
Because the Logstash user needs to read the alerts.json file, please add it to OSSEC group by running:
# usermod -a -G ossec logstash
Remote configuration (only in a distributed architecture):
# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.2/extensions/logstash/01-wazuh-remote.conf
Note
Follow the next steps if you use CentOS-6/RHEL-6 or Amazon AMI (logstash uses Upstart like a service manager and needs to be fixed, see this bug):
Edit the file /etc/logstash/startup.options changing line 30 from LS_GROUP=logstash to LS_GROUP=ossec.
Update the service with the new parameters by running the command /usr/share/logstash/bin/system-install
Restart Logstash.
Enable and start the Logstash service:
For Systemd:
# systemctl daemon-reload # systemctl enable logstash.service # systemctl start logstash.service
For SysV Init:
# chkconfig --add logstash # service logstash start
Note
If you are running the Wazuh server and the Elastic Stack server on separate systems (distributed architecture), it is important to configure encryption between Filebeat and Logstash. To do so, please see Setting up SSL for Filebeat and Logstash.
Kibana
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. Find more information at Kibana.
Install the Kibana package:
# yum install kibana-6.2.4
Install the Wazuh App plugin for Kibana:
Increase the default Node.js heap memory limit to prevent out of memory errors when installing the Wazuh App. Set the limit as follows:
# export NODE_OPTIONS="--max-old-space-size=3072"
Install the Wazuh App:
# /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.2.4_6.2.4.zip
Warning
The Kibana plugin installation process may take several minutes. Please wait patiently.
Note
If you want to download a different Wazuh App plugin for another version of Wazuh or Elastic Stack, check the table available at GitHub and use the appropriate installation command.
Optional. Kibana will only listen on the loopback interface (localhost) by default. To set up Kibana to listen on all interfaces, edit the file
/etc/kibana/kibana.yml
uncommenting the settingserver.host
. Change the value to:
server.host: "0.0.0.0"Note
It is recommended that an Nginx proxy be set up for Kibana in order to use SSL encryption and to enable authentication. Instructions to set up the proxy can be found at Setting up SSL and authentication for Kibana.
Enable and start the Kibana service:
For Systemd:
# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
For SysV Init:
# chkconfig --add kibana # service kibana start
Disable the Elasticsearch repository:
It is recommended that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the App. To do this, use the following command:
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo