Elasticsearch single-node cluster¶
This document will explain how to install the Elastic Stack components in a single-node cluster.
Root user privileges are necessary to execute all the commands described below.
Elasticsearch is a highly scalable full-text search and analytics engine.
Some extra packages are needed for the installation, such us
unzip, that will be used in further steps:
Adding the Elastic Stack repository¶
Elasticsearch installation and configuration¶
Install the Elasticsearch package:
Once Elasticsearch is installed it can be configured by downloading the file
# curl -so /etc/elasticsearch/elasticsearch.yml https://raw.githubusercontent.com/wazuh/wazuh-documentation/4.1/resources/elastic-stack/elasticsearch/7.x/elasticsearch.yml
Certificates creation and deployment¶
This step implies the selection of the Wazuh cluster mode. Choose between
Wazuh single-node cluster, if having only one Wazuh server, and
Wazuh multi-node clusterin case of having two or more Wazuh servers.
~/certs.zipto all the servers of the distributed deployment. This can be done by using, for example,
The next step is to create the directory
/etc/elasticsearch/certs, and then copy the certificate authorities, the certificate and key there:
# unzip ~/certs.zip -d ~/certs # mkdir /etc/elasticsearch/certs/ca -p # cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/ # chown -R elasticsearch: /etc/elasticsearch/certs # chmod -R 500 /etc/elasticsearch/certs # chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.* # rm -rf ~/certs/
If Kibana will be installed in this node, keep the certificates file. Otherwise, if the file has been copied already to all the instances of the distributed deployment, remove it to increase security
rm -f ~/certs.zip.
Enable and start the Elasticsearch service:
Generate credentials for all the Elastic Stack pre-built roles and users:
# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
The command above will prompt an output like this. Save the password of the
elasticuser for further steps:
Changed password for user apm_system PASSWORD apm_system = lLPZhZkB6oUOzzCrkLSF Changed password for user kibana_system PASSWORD kibana_system = TaLqVOnSoqKTYLIU0vDn Changed password for user kibana PASSWORD kibana = TaLqVOvXoqKTYLIU0vDn Changed password for user logstash_system PASSWORD logstash_system = UtuDv2tWkXGYL83v9kWA Changed password for user beats_system PASSWORD beats_system = qZcbvCslafMpoEOrE9Ob Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = LzJpQiSylncmCU2GLBTS Changed password for user elastic PASSWORD elastic = AN4UeQGA7HGl5iHpMla7
This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.
With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.
We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.
To uninstall Elasticsearch, visit the uninstalling section.
The next step is the installation of the Wazuh server, select the cluster mode: