Elasticsearch single-node cluster

This document will explain how to install the Elastic Stack components in a single-node cluster.

Note

Root user privileges are necessary to execute all the commands described below.

Installing Elasticsearch

Elasticsearch is a highly scalable full-text search and analytics engine.

Prerequisites

Some extra packages are needed for the installation, such us curl or unzip, that will be used in further steps:

Install all the necessary packages:

# yum install zip unzip curl

Install all the necessary packages:

# apt-get install lsb-release curl apt-transport-https zip unzip gnupg2

Install all the necessary packages:

# zypper install zip unzip curl

Adding the Elastic Stack repository

Import the GPG key:

# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Add the repository:

# cat > /etc/yum.repos.d/elastic.repo << EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Install the GPG key:

# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -

Add the repository:

# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list

Update the package information:
# apt-get update

Import the GPG key:

# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

Add the repository:

# cat > /etc/zypp/repos.d/elastic.repo <<\EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Elasticsearch installation and configuration

Install the Elasticsearch package:

# yum install elasticsearch-7.9.3

# apt-get install elasticsearch=7.9.3

# zypper install elasticsearch-7.9.3

Once Elasticsearch is installed it can be configured by downloading the file /etc/elasticsearch/elasticsearch.yml:

# curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/elastic-stack/elasticsearch/7.x/elasticsearch.yml

Certificates creation and deployment

This step implies the selection of the Wazuh cluster mode. Choose between Wazuh single-node cluster, if having only one Wazuh server, and Wazuh multi-node cluster in case of having two or more Wazuh servers.
The instances file can be created /usr/share/elasticsearch/instances.yml as follows:

cat > /usr/share/elasticsearch/instances.yml <<\EOF instances: - name: "elasticsearch" ip: - "10.0.0.2" - name: "filebeat" ip: - "10.0.0.3" - name: "kibana" ip: - "10.0.0.4" EOF

Every name section corresponds to one host in the Wazuh - Elastic Stack environment. In this example, the file describes:

An elasticsearch instance with IP 10.0.0.2.

A filebeat instance with IP 10.0.0.3 corresponding to a single-node Wazuh cluster.

A kibana instance with IP 10.0.0.4. If Kibana will be installed in the same server as Elasticsearch, the same IP may be used.

Replace the IPs with the corresponding addresses for each instance in your environment.

Create the certificates using the elasticsearch-certutil tool:

# /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip

The resulting file certs.zip contains a directory for each instance included in instances.yml. Each directory contains a certificate and a private key necessary to secure communications.
The instances file /usr/share/elasticsearch/instances.yml must be created as follows:

cat > /usr/share/elasticsearch/instances.yml <<\EOF instances: - name: "elasticsearch" ip: - "10.0.0.2" - name: "filebeat-1" ip: - "10.0.0.3" - name: "filebeat-2" ip: - "10.0.0.4" - name: "kibana" ip: - "10.0.0.5" EOF

Every name section corresponds to one host in the Wazuh - Elastic Stack environment. In this example, the file describes:

An elasticsearch instance with IP 10.0.0.2. It is an Elasticsearch single-node cluster.

Two filebeat instances, the #1 and #2 with their respective IPs 10.0.0.3 and 10.0.0.4. These correspond to two Wazuh cluster nodes. In case of configuring a Wazuh multi-node cluster with three or more nodes, more name sections with their respective names and IPs can be defined.

A kibana instance with IP 10.0.0.5. If Kibana will be installed in the same server as Elasticsearch, the same IP may be used.

Replace the IPs of this example with the corresponding addresses in your environment.

Create the certificates using the elasticsearch-certutil tool:

# /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip

The resulting file certs.zip contains a directory for each instance included in instances.yml. Each directory contains a certificate and a private key necessary to secure communications.
Copy ~/certs.zip to all the servers of the distributed deployment. This can be done by using, for example, scp.

The next step is to create the directory /etc/elasticsearch/certs, and then copy the certificate authorities, the certificate and key there:

# unzip ~/certs.zip -d ~/certs
# mkdir /etc/elasticsearch/certs/ca -p
# cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
# chown -R elasticsearch: /etc/elasticsearch/certs
# chmod -R 500 /etc/elasticsearch/certs
# chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
# rm -rf ~/certs/

If Kibana will be installed in this node, keep the certificates file. Otherwise, if the file has been copied already to all the instances of the distributed deployment, remove it to increase security rm -f ~/certs.zip.

Enable and start the Elasticsearch service:

# systemctl daemon-reload
# systemctl enable elasticsearch
# systemctl start elasticsearch

Choose one option according to the OS used:

Debian based OS

# update-rc.d elasticsearch defaults 95 10
# service elasticsearch start

RPM based OS

# chkconfig --add elasticsearch
# service elasticsearch start

Generate credentials for all the Elastic Stack pre-built roles and users:

# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto

The command above will prompt an output like this. Save the password of the elastic user for further steps:

Changed password for user apm_system
PASSWORD apm_system = lLPZhZkB6oUOzzCrkLSF

Changed password for user kibana_system
PASSWORD kibana_system = TaLqVOnSoqKTYLIU0vDn

Changed password for user kibana
PASSWORD kibana = TaLqVOvXoqKTYLIU0vDn

Changed password for user logstash_system
PASSWORD logstash_system = UtuDv2tWkXGYL83v9kWA

Changed password for user beats_system
PASSWORD beats_system = qZcbvCslafMpoEOrE9Ob

Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = LzJpQiSylncmCU2GLBTS

Changed password for user elastic
PASSWORD elastic = AN4UeQGA7HGl5iHpMla7

Disabling repositories

This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.

With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.

We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo

# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update

# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo

To uninstall Elasticsearch, visit the uninstalling section.

Next steps

The next step is the installation of the Wazuh server, select the cluster mode: