Install the Elastic Stack

Your Elastic Stack will be running Elasticsearch, Kibana and the Wazuh plugin for Kibana.

Log in and sudo to root

For the purposes of these labs, always become root when logging into a lab machine via SSH.

[centos@elastic-server ~]$ sudo su -
[root@elastic-server ~]#


  1. Add the Elastic repository and its GPG key:

# rpm --import
# cat > /etc/yum.repos.d/elastic.repo << EOF
name=Elasticsearch repository for 7.x packages
  1. Install unzip:

    # yum install -y unzip


Elasticsearch is a highly scalable full-text search and analytics engine that will store alerts and log records sent by Wazuh via Filebeat and make them available to Kibana. For more information, please see Elasticsearch.

  1. Install the Elasticsearch package:

# yum -y install elasticsearch-7.9.1
  1. Enable and start the Elasticsearch service:

# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service
  1. Optimize Elasticsearch for lab use according to this guide.

This process will set optimal index sharding, replication, and memory usage values for Elasticsearch.

# sed -i 's/#bootstrap.memory_lock: true/bootstrap.memory_lock: true/' /etc/elasticsearch/elasticsearch.yml
# mkdir -p /etc/systemd/system/elasticsearch.service.d/
# echo -e "[Service]\nLimitMEMLOCK=infinity" > /etc/systemd/system/elasticsearch.service.d/elasticsearch.conf
# sed -i 's/^-Xms.*/-Xms5g/;s/^-Xmx.*/-Xmx5g/' /etc/elasticsearch/jvm.options
# systemctl daemon-reload
# systemctl restart elasticsearch


The two references to "5g" in the above steps will only work if the Elastic Server was launched with the recommended instance size t2.xlarge. If you chose to use t2.large instead, change the "5g" references to "3g".


Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. More info at Kibana.

  1. Install the Kibana package:

# yum install -y kibana-7.9.1
  1. Install the Wazuh plugin for Kibana:

  • Install from URL:

# cd /usr/share/kibana/
# sudo -u kibana bin/kibana-plugin install
  1. Kibana will only listen on the loopback interface (localhost) by default, which means that it can be only accessed from the same machine. To access Kibana from the any IP set the "" variable, and set the port to be the standard port for HTTPS: server.port: 443

# cat >> /etc/kibana/kibana.yml << EOF ""
server.port: 443
  1. Allow Kibana (which is run as a non-root process) to bind to port 443:

# setcap 'CAP_NET_BIND_SERVICE=+eip' /usr/share/kibana/node/bin/node
  1. Optimize Kibana packages:

# cd /usr/share/kibana/
NODE_OPTIONS="--max-old-space-size=4096" /usr/share/kibana/bin/kibana --optimize --allow-root
  1. Configure the credentials to access the Wazuh API:

# cat >> /usr/share/kibana/optimize/wazuh/config/wazuh.yml << EOF

  - wazuhapi:
     port: 55000
     username: wazuhapiuser
     password: wazuhlab
  1. Enable and start the Kibana service:

# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service

Disable the Elastic repository

Now disable the Elastic repository in order to prevent a future unintended Elastic Stack upgrade to a version that may be in conflict with the latest stable Wazuh packages.

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo