Elasticsearch single-node cluster

Install Elasticsearch on a single-node cluster. Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.

Note

Root user privileges are necessary to run all the commands.

Adding the Wazuh repository

  1. Install the necessary packages for the installation:

    # yum install curl unzip wget

  2. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH

  3. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
[wazuh]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=EL-\$releasever - Wazuh
baseurl=https://packages.wazuh.com/4.x/yum/
protect=1
EOF

Elasticsearch installation

Install Open Distro for Elasticsearch:

Install Open Distro for Elasticsearch:

# yum install opendistroforelasticsearch

Elasticsearch configuration

Once Elasticsearch is installed, download the preconfigured configuration file:

# curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/7.x/elasticsearch.yml

This file configures Elasticsearch to use 0.0.0.0 for the network.host variable, so it accepts communications directed to any of its IP addresses instead of binding to the IP of a specific network interface in the host. Access may be restricted to a specific network interface by specifying its IP in this setting so Elasticsearch is not unnecessarily exposed.

Elasticsearch roles and users

You need to add users and roles in order to use the Wazuh Kibana plugin properly.

# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/roles.yml
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/roles_mapping.yml
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/internal_users.yml

Wazuh users added in Kibana by running the commands above:

wazuh_user

It is created for users who need read-only access to the Wazuh Kibana plugin.

wazuh_admin

It is recommended for users who need administrative privileges.

Wazuh additional roles added in Kibana to give the appropriate permissions to users:

wazuh_ui_user

It provides wazuh_user with permissions to read the Wazuh indices.

wazuh_ui_admin

It allows wazuh_admin to perform reading, writing, management, and indexing tasks on the Wazuh indices.

These users and roles are designed to operate along with the Wazuh Kibana plugin, but they are protected and cannot be modified from the Kibana interface. To modify them or add new users or roles, the securityadmin script has to be run.

Certificates creation and deployment

  1. Remove the demo certificates:

    # rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f

  2. Generate and deploy the certificates:

    1. Download the wazuh-cert-tool.sh to create the certificates:

      # curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.1/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
# curl -so ~/instances.yml https://packages.wazuh.com/resources/4.1/open-distro/tools/certificate-utility/instances.yml

    2. Edit ~/instances.yml and replace the values <node-name> and node-IP with the corresponding names and IP addresses. Add as many nodes fields as needed:

      # Elasticsearch nodes
elasticsearch-nodes:
  - name: <node-name>
    ip:
      - node-IP

# Wazuh server nodes
wazuh-servers:
  - name: <node-name>
    ip:
      - node-IP

# Kibana node
kibana:
  - name: <node-name>
    ip:
      - node-IP

      To learn more about how to create and configure the certificates, see the Certificates deployment section.

    3. Run the wazuh-cert-tool.sh to create the certificates:

      #  bash ~/wazuh-cert-tool.sh

    4. Replace elasticsearch-node-name with your Elasticsearch node name, the same used in instances.yml to create the certificates, and move the certificates to their corresponding location:

      # node_name=elasticsearch-node-name

      # mkdir /etc/elasticsearch/certs/
# mv ~/certs/$node_name* /etc/elasticsearch/certs/
# mv ~/certs/admin* /etc/elasticsearch/certs/
# cp ~/certs/root-ca* /etc/elasticsearch/certs/
# mv /etc/elasticsearch/certs/$node_name.pem /etc/elasticsearch/certs/elasticsearch.pem
# mv /etc/elasticsearch/certs/$node_name-key.pem /etc/elasticsearch/certs/elasticsearch-key.pem

    5. Compress all the necessary files to be sent to all the instances:

      # cd ~/certs/
# tar -cvf certs.tar *
# mv ~/certs/certs.tar ~/

    6. Copy certs.tar to all the servers of the distributed deployment. This can be done by using, for example, scp.

    7. If Kibana will be installed on this node, keep the certificates file. Otherwise, if the file is already copied to all the instances of the distributed deployment, remove it to increase security rm -f certs.tar.

  3. Enable and start the Elasticsearch service:

    # systemctl daemon-reload
# systemctl enable elasticsearch
# systemctl start elasticsearch

  4. Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster. To run this command, the value <elasticsearch_IP> must be replaced by the Elasticsearch installation IP:

# export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem -h <elasticsearch_IP>

Run the following command to ensure that the installation is successful:

# curl -XGET https://localhost:9200 -u admin:admin -k

An example response should look as follows:

{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "tWYgqpgdRz6fGN8gH11flw",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "rpm",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Note

The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. We recommend removing it with the following command /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer. Make sure to restart the Elasticsearch service afterward.

Note

It is highly recommended to change the default passwords of Elasticsearch for the users’ passwords. To perform this action, see the Elasticsearch tuning section.

It is also recommended to customize the file /etc/elasticsearch/jvm.options in order to improve the performance of Elasticsearch. Learn more about this process in the user manual.

To uninstall Elasticsearch, see the Uninstalling section.

Next steps

You can now proceed with the Wazuh server installation. To do so, choose the cluster mode.