Install Elastic Stack with Debian packages

The DEB package is suitable for Debian, Ubuntu and other Debian-based systems.

Note

Many of the commands described below need to be executed with root user privileges.

Preparation

  1. Oracle Java JRE or OpenJDK 8 is required by Logstash and Elasticsearch:

  1. For Debian >= 8/Jessie or Ubuntu >= 16.04/Xenial:

# apt-get update
# apt-get install openjdk-8-jre
  1. For Debian < 8/Jessie:

# echo "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main" | tee /etc/apt/sources.list.d/webupd8team-java.list
# apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
# apt-get update
# apt-get install oracle-java8-installer
  1. For Ubuntu < 16.04/Xenial:

# add-apt-repository ppa:webupd8team/java
# apt-get update
# apt-get install oracle-java8-installer
  1. Install the Elastic repository and its GPG key:

# apt-get install curl apt-transport-https
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
# echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update

Elasticsearch

Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see Elasticsearch.

  1. Install the Elasticsearch package:

# apt-get install elasticsearch=6.5.4
  1. Enable and start the Elasticsearch service:

  1. For Systemd:

# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service
  1. For SysV Init:

# update-rc.d elasticsearch defaults 95 10
# service elasticsearch start

It's important to wait until the Elasticsearch server finishes starting. Check the current status with the following command, which should give you a response like the shown below:

# curl "http://localhost:9200/?pretty"

{
  "name" : "Zr2Shu_",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "M-W_RznZRA-CXykh_oJsCQ",
  "version" : {
    "number" : "6.5.4",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "053779d",
    "build_date" : "2018-07-20T05:20:23.451332Z",
    "build_snapshot" : false,
    "lucene_version" : "7.3.1",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
  1. Load the Wazuh template for Elasticsearch:

Warning

The Wazuh app for Kibana needs the Elasticsearch template in order to work properly, so it's important to make sure that it was properly inserted.

# curl https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/elasticsearch/wazuh-elastic6-template-alerts.json | curl -X PUT "http://localhost:9200/_template/wazuh" -H 'Content-Type: application/json' -d @-

Note

It is recommended that the default configuration be edited to improve the performance of Elasticsearch. To do so, please see Elasticsearch tuning.

Logstash

Logstash is the tool that collects, parses, and forwards data to Elasticsearch for indexing and storage of all logs generated by the Wazuh server. For more information please see Logstash.

  1. Install the Logstash package:

# apt-get install logstash=1:6.5.4-1
  1. Download the Wazuh configuration file for Logstash:

  1. Local configuration (only in a single-host architecture):

# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/logstash/01-wazuh-local.conf

Because the Logstash user needs to read the alerts.json file, please add it to OSSEC group by running:

# usermod -a -G ossec logstash
  1. Remote configuration (only in a distributed architecture):

# curl -so /etc/logstash/conf.d/01-wazuh.conf https://raw.githubusercontent.com/wazuh/wazuh/3.7/extensions/logstash/01-wazuh-remote.conf
  1. Enable and start the Logstash service:

  1. For Systemd:

# systemctl daemon-reload
# systemctl enable logstash.service
# systemctl start logstash.service
  1. For SysV Init:

# update-rc.d logstash defaults 95 10
# service logstash start

Note

If you are running Wazuh server and the Elastic Stack server on separate systems (distributed architecture), it is important to configure encryption between Filebeat and Logstash. To do so, please see Setting up SSL for Filebeat and Logstash.

Kibana

Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. Find more information at Kibana.

  1. Install the Kibana package:

# apt-get install kibana=6.5.4
  1. Install the Wazuh app plugin for Kibana:

# sudo -u kibana NODE_OPTIONS="--max-old-space-size=3072" /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.7.2_6.5.4.zip

Warning

The Kibana plugin installation process may take several minutes. Please wait patiently.

Note

If you want to download a different Wazuh app plugin for another version of Wazuh or the Elastic Stack, check the table available at GitHub and use the appropriate installation command.

  1. Optional. Kibana will only listen on the loopback interface (localhost) by default. To set up Kibana to listen on all interfaces, edit the file /etc/kibana/kibana.yml uncommenting the setting server.host. Change the value to:

server.host: "0.0.0.0"

Note

It is recommended that an Nginx proxy be set up for Kibana in order to use SSL encryption and to enable authentication. Instructions to set up the proxy can be found at Setting up SSL and authentication for Kibana.

  1. Enable and start the Kibana service:

  1. For Systemd:

# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service
  1. For SysV Init:

# update-rc.d kibana defaults 95 10
# service kibana start
  1. (Optional) Disable the Elasticsearch updates:

It is recommended that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the App. To do this, use the following command:

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-6.x.list
# apt-get update

Alternately, you can set the package state to hold, which will stop updates (although you can still upgrade it manually using apt-get install).

# echo "elasticsearch hold" | sudo dpkg --set-selections
# echo "kibana hold" | sudo dpkg --set-selections
# echo "logstash hold" | sudo dpkg --set-selections

Next steps

Once the Wazuh and Elastic Stack servers are installed and connected, you can install and connect Wazuh agents. Follow this guide and read the instructions for your specific environment.

You can also read the Kibana app user manual to learn more about its features and how to use it.