Install Elastic Stack with RPM packages¶
The RPM packages are suitable for installation on Red Hat, CentOS and other RPM-based systems.
All the commands described below need to be executed with root user privileges.
- Install the Elastic repository and its GPG key:
# rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch # cat > /etc/yum.repos.d/elastic.repo << EOF [elasticsearch-7.x] name=Elasticsearch repository for 7.x packages baseurl=https://artifacts.elastic.co/packages/7.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md EOF
Elasticsearch is a highly scalable full-text search and analytics engine. For more information, please see Elasticsearch.
- Install the Elasticsearch package:
# yum install elasticsearch-7.3.0
Optional. Elasticsearch will only listen on the loopback interface (localhost) by default. Configure Elasticsearch to listen on all interfaces by editing the file
/etc/elasticsearch/elasticsearch.ymland uncommenting the setting
network.host. Change the value to:
If you are installing a distributed architecture, you will have to make an additional configuration change by editing the file
/etc/elasticsearch/elasticsearch.yml. Add or edit (if commented) the following lines:
node.name: node-1 network.host: 0.0.0.0 cluster.initial_master_nodes: ["node-1"]
Enable and start the Elasticsearch service:
- For Systemd:# systemctl daemon-reload # systemctl enable elasticsearch.service # systemctl start elasticsearch.service
- For SysV Init:# chkconfig --add elasticsearch # service elasticsearch start
- Once Elasticsearch is up and running, it is recommended to load the Filebeat template. Run the following command where Filebeat was installed (current host, for single architecture or Wazuh manager host for distributed architecture):
# filebeat setup --index-management -E setup.template.json.enabled=false
Kibana is a flexible and intuitive web interface for mining and visualizing the events and archives stored in Elasticsearch. Find more information at Kibana.
- Install the Kibana package:
# yum install kibana-7.3.0
- Install the Wazuh app plugin for Kibana:
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-3.9.5_7.3.0.zip
- Optional. Kibana will only listen on the loopback interface (localhost) by default. Configure Kibana to listen on all interfaces by editing the file
/etc/kibana/kibana.ymland uncommenting the setting
server.host. Change the value to:
- Enable and start the Kibana service:
- For Systemd:# systemctl daemon-reload # systemctl enable kibana.service # systemctl start kibana.service
- For SysV Init:# chkconfig --add kibana # service kibana start
- (Optional) Disable the Elasticsearch repository:
It is recommended that the Elasticsearch repository be disabled in order to prevent an upgrade to a newer Elastic Stack version due to the possibility of undoing changes with the App. To do this, use the following command:# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo