Elasticsearch single-node cluster
This document will explain how to install the Elastic Stack components in a single-node cluster.
Note
Root user privileges are necessary to execute all the commands described below.
Installing Elasticsearch
Elasticsearch is a highly scalable full-text search and analytics engine.
Prerequisites
Some extra packages are needed for the installation, such us curl
or unzip
, that will be used in further steps:
Install all the necessary packages:
# yum install zip unzip curl
Install all the necessary packages:
# apt-get install lsb-release curl apt-transport-https zip unzip gnupg2
Install all the necessary packages:
# zypper install zip unzip curl
Adding the Elastic Stack repository
Import the GPG key:
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Install the GPG key:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
Add the repository:
# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Update the package information:
# apt-get update
Import the GPG key:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/zypp/repos.d/elastic.repo <<\EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Elasticsearch installation and configuration
Install the Elasticsearch package:
# yum install elasticsearch-7.9.3
# apt-get install elasticsearch=7.9.3
# zypper install elasticsearch-7.9.3
Once Elasticsearch is installed it can be configured by downloading the file
/etc/elasticsearch/elasticsearch.yml
:# curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.0/resources/elastic-stack/elasticsearch/7.x/elasticsearch.yml
Certificates creation and deployment
This step implies the selection of the Wazuh cluster mode. Choose between
Wazuh single-node cluster
, if having only one Wazuh server, andWazuh multi-node cluster
in case of having two or more Wazuh servers.The instances file can be created
/usr/share/elasticsearch/instances.yml
as follows:cat > /usr/share/elasticsearch/instances.yml <<\EOF instances: - name: "elasticsearch" ip: - "10.0.0.2" - name: "filebeat" ip: - "10.0.0.3" - name: "kibana" ip: - "10.0.0.4" EOF
Every
name
section corresponds to one host in the Wazuh - Elastic Stack environment. In this example, the file describes:An
elasticsearch
instance with IP10.0.0.2
.A
filebeat
instance with IP10.0.0.3
corresponding to a single-node Wazuh cluster.A
kibana
instance with IP10.0.0.4
. If Kibana will be installed in the same server as Elasticsearch, the same IP may be used.
Replace the IPs with the corresponding addresses for each instance in your environment.
Create the certificates using the elasticsearch-certutil tool:
# /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
The resulting file
certs.zip
contains a directory for each instance included ininstances.yml
. Each directory contains a certificate and a private key necessary to secure communications.The instances file
/usr/share/elasticsearch/instances.yml
must be created as follows:cat > /usr/share/elasticsearch/instances.yml <<\EOF instances: - name: "elasticsearch" ip: - "10.0.0.2" - name: "filebeat-1" ip: - "10.0.0.3" - name: "filebeat-2" ip: - "10.0.0.4" - name: "kibana" ip: - "10.0.0.5" EOF
Every
name
section corresponds to one host in the Wazuh - Elastic Stack environment. In this example, the file describes:An
elasticsearch
instance with IP10.0.0.2
. It is an Elasticsearch single-node cluster.Two
filebeat
instances, the #1 and #2 with their respective IPs10.0.0.3
and10.0.0.4
. These correspond to two Wazuh cluster nodes. In case of configuring a Wazuh multi-node cluster with three or more nodes, morename
sections with their respective names and IPs can be defined.A
kibana
instance with IP10.0.0.5
. If Kibana will be installed in the same server as Elasticsearch, the same IP may be used.
Replace the IPs of this example with the corresponding addresses in your environment.
Create the certificates using the elasticsearch-certutil tool:
# /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
The resulting file
certs.zip
contains a directory for each instance included ininstances.yml
. Each directory contains a certificate and a private key necessary to secure communications.Copy
~/certs.zip
to all the servers of the distributed deployment. This can be done by using, for example,scp.
The next step is to create the directory
/etc/elasticsearch/certs
, and then copy the certificate authorities, the certificate and key there:# unzip ~/certs.zip -d ~/certs # mkdir /etc/elasticsearch/certs/ca -p # cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/ # chown -R elasticsearch: /etc/elasticsearch/certs # chmod -R 500 /etc/elasticsearch/certs # chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.* # rm -rf ~/certs/
If Kibana will be installed in this node, keep the certificates file. Otherwise, if the file has been copied already to all the instances of the distributed deployment, remove it to increase security
rm -f ~/certs.zip
.Enable and start the Elasticsearch service:
# systemctl daemon-reload # systemctl enable elasticsearch # systemctl start elasticsearch
Choose one option according to the OS used:
Debian based OS
# update-rc.d elasticsearch defaults 95 10 # service elasticsearch start
RPM based OS
# chkconfig --add elasticsearch # service elasticsearch start
Generate credentials for all the Elastic Stack pre-built roles and users:
# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
The command above will prompt an output like this. Save the password of the
elastic
user for further steps:Changed password for user apm_system PASSWORD apm_system = lLPZhZkB6oUOzzCrkLSF Changed password for user kibana_system PASSWORD kibana_system = TaLqVOnSoqKTYLIU0vDn Changed password for user kibana PASSWORD kibana = TaLqVOvXoqKTYLIU0vDn Changed password for user logstash_system PASSWORD logstash_system = UtuDv2tWkXGYL83v9kWA Changed password for user beats_system PASSWORD beats_system = qZcbvCslafMpoEOrE9Ob Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = LzJpQiSylncmCU2GLBTS Changed password for user elastic PASSWORD elastic = AN4UeQGA7HGl5iHpMla7
Disabling repositories
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo
To uninstall Elasticsearch, visit the uninstalling section.
Next steps
The next step is the installation of the Wazuh server, select the cluster mode: