Elasticsearch & Kibana unattended installation

You can install Open Distro for Elasticsearch and Open Distro for Kibana using an automated script. This script performs a health check to verify that the system has enough resources to achieve optimal performance.

For more information on system resources, see the Requirements section.

Note

Root user privileges are required to run all the commands. To download the script, the package curl is used.

The script allows installing both Elasticsearch and Kibana, either together or on separate machines. There are options available for you to use when running the script:

Options

Purpose

-e / --install-elasticsearch

It installs Open Distro for Elasticsearch. It cannot be used together with option -k.

-k / --install-kibana

It installs Open Distro for Kibana. It cannot be used together with option -e.

-n / --node-name

It indicates the name of the instance.

-c / --create-certificates

It generates the certificates for all the nodes indicated on the configuration file (only for multi-node mode).

-d / --debug

It shows the complete installation output.

-i / --ignore-healthcheck

It ignores the health check.

-h / --help

It shows help.

Installing Open Distro for Elasticsearch

To install Open Distro for Elasticsearch, you need to choose the cluster mode first and follow the installation process.

Choose the cluster mode between single-node or multi-node:

Download the script and the configuration file config.yml

# curl -so ~/elastic-stack-installation.sh https://packages.wazuh.com/resources/4.1/open-distro/unattended-installation/distributed/elastic-stack-installation.sh
# curl -so ~/config.yml https://packages.wazuh.com/resources/4.1/open-distro/unattended-installation/distributed/templates/config.yml

Configure the installation

Edit the config.yml file to specify the IP you want the Elasticsearch service to bind to.

Note

To create valid certificates for the communication between the various components of Wazuh and the Elastic Stack, external IPs must be used.

## Single-node configuration

## Elasticsearch configuration

network.host: <elasticsearch_ip>


# Clients certificates
clients:
  - name: admin
    dn: CN=admin,OU=Docu,O=Wazuh,L=California,C=US
    admin: true
  - name: filebeat
    dn: CN=filebeat,OU=Docu,O=Wazuh,L=California,C=US


# Kibana-instance
- <kibana_ip>

# Wazuh-master-configuration
- <wazuh_master_server_IP>

If you have more than one Wazuh server, you can add as many nodes as needed by changing the name of the certificate and the CN value. You need to make these changes in the Clients certificates section:

- name: filebeat-X
  dn: CN=filebeat-x,OU=Docu,O=Wazuh,L=California,C=US

Run the script

  • To install Elasticsearch, run the script with the options -e and -n <node-name>:

# bash ~/elastic-stack-installation.sh -e -n <node_name>

Note

The Open Distro for Elasticsearch performance analyzer plugin is removed during the installation to prevent any negative impact on system resources.

Configuring Elasticsearch

Once Elasticsearch is installed, the script starts the services automatically. The certificates are placed at ~/certs.tar. This file must be copied into the Wazuh server to extract the certificates needed.

In case Kibana is installed on a different server, the certs.tar file should be also copied into the Wazuh server to extract the corresponding certificates.

Installing Kibana

  1. Download the script. Skip this step if you are installing Kibana on the same server as Open Distro for Elasticsearch:

    # curl -so ~/elastic-stack-installation.sh https://packages.wazuh.com/resources/4.1/open-distro/unattended-installation/distributed/elastic-stack-installation.sh
    
  2. Run the script:

    # bash ~/elastic-stack-installation.sh -k -n <node_name>
    

    The following values must be replaced:

    • node_name: Name of the instance. This name must be the same used in config.yml for the certificate creation, e.g. kibana.

  3. Access the web interface:

    URL: https://<kibana_ip>
    user: admin
    password: admin
    

Upon the first access to Kibana, the browser shows a warning message stating that the certificate was not issued by a trusted authority. An exception can be added in the advanced options of the web browser or, for increased security, the root-ca.pem file previously generated can be imported to the certificate manager of the browser. Alternatively, a certificate from a trusted authority can be configured.

Note

If Kibana is accessed before installing the Wazuh server, the Wazuh Kibana plugin indicates that it cannot establish a connection with the Wazuh API. Proceed with the Wazuh server installation to remediate this.

Note

It is highly recommended to change the default passwords of Elasticsearch for the users' passwords. To perform this action, see the Elasticsearch tuning section.

If you need to uninstall Elasticsearch and Kibana, visit the Uninstalling section.

Next steps

Once the Elastic Stack environment is ready, the Wazuh server can be installed. To do this, follow the steps described in the Wazuh server section of the installation guide.