Install Elastic Stack with Debian packages¶
The DEB package is suitable for Debian, Ubuntu and other Debian-based systems.
All the commands described below need to be executed with root user privileges.
- Install the Elastic repository and its GPG key:
# apt-get install curl apt-transport-https # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add - # echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list # apt-get update
Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see Elasticsearch.
- Install the Elasticsearch package:
# apt-get install elasticsearch=7.3.0
- Enable and start the Elasticsearch service:
- For Systemd:# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.service
- For SysV Init:# update-rc.d elasticsearch defaults 95 10 # service elasticsearch start
- Once Elasticsearch is up and running, it is recommended to load the Filebeat template. Run the following command where Filebeat was installed (current host, for single architecture or Wazuh manager host for distributed architecture):
# filebeat setup --index-management -E setup.template.json.enabled=false
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. Find more information at Kibana.
- Install the Kibana package:
# apt-get install kibana=7.3.0
- Install the Wazuh app plugin for Kibana:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_7.3.0.zip
- Optional. Kibana will only listen on the loopback interface (localhost) by default. To set up Kibana to listen on all interfaces, edit the file
/etc/kibana/kibana.ymluncommenting the setting
server.host. Change the value to:
- Enable and start the Kibana service:
- For Systemd:# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
- For SysV Init:# update-rc.d kibana defaults 95 10 # service kibana start
- (Optional) Disable the Elasticsearch updates:
It is recommended that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the App. To do this, use the following command:# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list # apt-get update
Alternately, you can set the package state to
hold, which will stop updates (although you can still upgrade it manually using
apt-get install).# echo "elasticsearch hold" | sudo dpkg --set-selections # echo "kibana hold" | sudo dpkg --set-selections