Elasticsearch single-node cluster
This document will explain how to install the Elastic Stack components in a single-node cluster.
Note
You need root user privileges to run all the commands described below.
Installing Elasticsearch
Elasticsearch is a highly scalable full-text search and analytics engine.
Installing prerequisites
Some extra packages are needed for the installation, such as curl
or unzip
, that will be used in further steps:
Install all the necessary packages:
# yum install zip unzip curl
Install all the necessary packages:
# apt-get install lsb-release curl apt-transport-https zip unzip gnupg
Adding the Elastic Stack repository
Import the GPG key:
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
Add the repository:
# cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Install the GPG key:
# curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/elasticsearch.gpg --import && chmod 644 /usr/share/keyrings/elasticsearch.gpg
Add the repository:
# echo "deb [signed-by=/usr/share/keyrings/elasticsearch.gpg] https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
Update the package information:
# apt-get update
Elasticsearch installation and configuration
Install the Elasticsearch package:
# yum install elasticsearch-7.17.13
# apt-get install elasticsearch=7.17.13
Once Elasticsearch is installed, it can be configured by downloading the file
/etc/elasticsearch/elasticsearch.yml
:# curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/4.5/tpl/elastic-basic/elasticsearch.yml
Certificates creation and deployment
The number of Wazuh servers to be implemented will determine the next step. Select
Wazuh single-node cluster
, if there is only one Wazuh server, orWazuh multi-node cluster
in case there are two or more Wazuh servers.The instances file can be created
/usr/share/elasticsearch/instances.yml
as follows:cat > /usr/share/elasticsearch/instances.yml <<\EOF instances: - name: "elasticsearch" ip: - "10.0.0.2" - name: "filebeat" ip: - "10.0.0.3" - name: "kibana" ip: - "10.0.0.4" EOF
Every
name
section corresponds to one host in the Wazuh Server - Elastic Stack environment. In this example, the file describes:An
elasticsearch
instance with IP address10.0.0.2
.A
filebeat
instance with IP address10.0.0.3
corresponding to a single-node Wazuh cluster.A
kibana
instance with IP address10.0.0.4
. If Kibana will be installed in the same server as Elasticsearch, the same IP address may be used.
Replace the IPs with the corresponding addresses for each instance in your environment.
Create the certificates using the elasticsearch-certutil tool:
# /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
The resulting file
certs.zip
contains a directory for each instance included ininstances.yml
. Each directory contains a certificate and a private key necessary to secure communications.The instances file
/usr/share/elasticsearch/instances.yml
must be created as follows:cat > /usr/share/elasticsearch/instances.yml <<\EOF instances: - name: "elasticsearch" ip: - "10.0.0.2" - name: "filebeat-1" ip: - "10.0.0.3" - name: "filebeat-2" ip: - "10.0.0.4" - name: "kibana" ip: - "10.0.0.5" EOF
Every
name
section corresponds to one host in the Wazuh Server - Elastic Stack environment. In this example, the file describes:An
elasticsearch
instance with IP10.0.0.2
. It is an Elasticsearch single-node cluster.Two
filebeat
instances, the #1 and #2 with their respective IPs10.0.0.3
and10.0.0.4
. These correspond to two Wazuh cluster nodes. In the case of configuring a Wazuh multi-node cluster with three or more nodes, morename
sections with their respective names and IPs can be defined.A kibana instance with IP address
10.0.0.5
. If Kibana will be installed on the same server as Elasticsearch, the same Elasticsearch instance IP address should be used.
Replace the IPs of this example with the corresponding addresses in your environment.
Create the certificates using the elasticsearch-certutil tool:
# /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
The resulting file
certs.zip
contains a directory for each instance included ininstances.yml
. Each directory contains a certificate and a private key necessary to secure communications.Copy
~/certs.zip
to all the servers of the distributed deployment. This can be done by using, for example,scp.
The next step is to create the directory
/etc/elasticsearch/certs
, and then copy the certificate authorities, the certificate and key there:# unzip ~/certs.zip -d ~/certs # mkdir /etc/elasticsearch/certs/ca -p # cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/ # chown -R elasticsearch: /etc/elasticsearch/certs # chmod -R 500 /etc/elasticsearch/certs # chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.* # rm -rf ~/certs/
If you are going to install Kibana in this node, keep the certificates file. Otherwise, if the file has been copied already to all the instances of the distributed deployment, remove it to increase security
rm -f ~/certs.zip
.Enable and start the Elasticsearch service:
# systemctl daemon-reload # systemctl enable elasticsearch # systemctl start elasticsearch
Choose one option according to the OS used:
Debian based OS
# update-rc.d elasticsearch defaults 95 10 # service elasticsearch start
RPM based OS
# chkconfig --add elasticsearch # service elasticsearch start
Generate credentials for all the Elastic Stack pre-built roles and users:
# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
The command above will prompt an output like this. Save the password of the
elastic
user for further steps:Changed password for user apm_system PASSWORD apm_system = lLPZhZkB6oUOzzCrkLSF Changed password for user kibana_system PASSWORD kibana_system = TaLqVOnSoqKTYLIU0vDn Changed password for user kibana PASSWORD kibana = TaLqVOvXoqKTYLIU0vDn Changed password for user logstash_system PASSWORD logstash_system = UtuDv2tWkXGYL83v9kWA Changed password for user beats_system PASSWORD beats_system = qZcbvCslafMpoEOrE9Ob Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = LzJpQiSylncmCU2GLBTS Changed password for user elastic PASSWORD elastic = AN4UeQGA7HGl5iHpMla7
Disabling repositories
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally, which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
To uninstall Elasticsearch, visit the uninstalling section.
Next steps
The next step is the installation of the Wazuh server, select the cluster mode: