Elasticsearch single-node cluster

This document will explain how to install the Elastic Stack components in a single-node cluster.

Note

Root user privileges are necessary to execute all the commands described below.

Installing Elasticsearch

Elasticsearch is a highly scalable full-text search and analytics engine.

Prerequisites

Some extra packages are needed for the installation, such us curl or unzip, that will be used in further steps:

Install all the necessary packages:

# yum install zip unzip curl

Install all the necessary packages:

# apt-get install lsb-release curl apt-transport-https zip unzip gnupg

Install all the necessary packages:

# zypper install zip unzip curl

Adding the Elastic Stack repository

  1. Import the GPG key:

    # rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    
  2. Add the repository:

    # cat > /etc/yum.repos.d/elastic.repo << EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    
  1. Install the GPG key:

    # curl -s https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
    
  2. Add the repository:

    # echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | tee /etc/apt/sources.list.d/elastic-7.x.list
    
  3. Update the package information:

    # apt-get update
    
  1. Import the GPG key:

    # rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
    
  2. Add the repository:

    # cat > /etc/zypp/repos.d/elastic.repo <<\EOF
    [elasticsearch-7.x]
    name=Elasticsearch repository for 7.x packages
    baseurl=https://artifacts.elastic.co/packages/7.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF
    

Elasticsearch installation and configuration

  1. Install the Elasticsearch package:

    # yum install elasticsearch-7.12.1
    
    # apt-get install elasticsearch=7.12.1
    
    # zypper install elasticsearch-7.12.1
    
  2. Once Elasticsearch is installed it can be configured by downloading the file /etc/elasticsearch/elasticsearch.yml:

    # curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.2/elastic-stack/elasticsearch/7.x/elasticsearch.yml
    

Certificates creation and deployment

  1. This step implies the selection of the Wazuh cluster mode. Choose between Wazuh single-node cluster, if having only one Wazuh server, and Wazuh multi-node cluster in case of having two or more Wazuh servers.

    The instances file can be created /usr/share/elasticsearch/instances.yml as follows:

    cat > /usr/share/elasticsearch/instances.yml <<\EOF
    instances:
    - name: "elasticsearch"
      ip:
      - "10.0.0.2"
    - name: "filebeat"
      ip:
      - "10.0.0.3"
    - name: "kibana"
      ip:
      - "10.0.0.4"
    EOF
    

    Every name section corresponds to one host in the Wazuh - Elastic Stack environment. In this example, the file describes:

    • An elasticsearch instance with IP 10.0.0.2.

    • A filebeat instance with IP 10.0.0.3 corresponding to a single-node Wazuh cluster.

    • A kibana instance with IP 10.0.0.4. If Kibana will be installed in the same server as Elasticsearch, the same IP may be used.

    Replace the IPs with the corresponding addresses for each instance in your environment.

    Create the certificates using the elasticsearch-certutil tool:

    # /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
    

    The resulting file certs.zip contains a directory for each instance included in instances.yml. Each directory contains a certificate and a private key necessary to secure communications.

    The instances file /usr/share/elasticsearch/instances.yml must be created as follows:

    cat > /usr/share/elasticsearch/instances.yml <<\EOF
    instances:
    - name: "elasticsearch"
      ip:
      - "10.0.0.2"
    - name: "filebeat-1"
      ip:
      - "10.0.0.3"
    - name: "filebeat-2"
      ip:
      - "10.0.0.4"
    - name: "kibana"
      ip:
      - "10.0.0.5"
    EOF
    

    Every name section corresponds to one host in the Wazuh - Elastic Stack environment. In this example, the file describes:

    • An elasticsearch instance with IP 10.0.0.2. It is an Elasticsearch single-node cluster.

    • Two filebeat instances, the #1 and #2 with their respective IPs 10.0.0.3 and 10.0.0.4. These correspond to two Wazuh cluster nodes. In case of configuring a Wazuh multi-node cluster with three or more nodes, more name sections with their respective names and IPs can be defined.

    • A kibana instance with IP 10.0.0.5. If Kibana will be installed in the same server as Elasticsearch, the same IP may be used.

    Replace the IPs of this example with the corresponding addresses in your environment.

    Create the certificates using the elasticsearch-certutil tool:

    # /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip
    

    The resulting file certs.zip contains a directory for each instance included in instances.yml. Each directory contains a certificate and a private key necessary to secure communications.

  2. Copy ~/certs.zip to all the servers of the distributed deployment. This can be done by using, for example, scp.

  3. The next step is to create the directory /etc/elasticsearch/certs, and then copy the certificate authorities, the certificate and key there:

    # unzip ~/certs.zip -d ~/certs
    # mkdir /etc/elasticsearch/certs/ca -p
    # cp -R ~/certs/ca/ ~/certs/elasticsearch/* /etc/elasticsearch/certs/
    # chown -R elasticsearch: /etc/elasticsearch/certs
    # chmod -R 500 /etc/elasticsearch/certs
    # chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*
    # rm -rf ~/certs/
    
  4. If Kibana will be installed in this node, keep the certificates file. Otherwise, if the file has been copied already to all the instances of the distributed deployment, remove it to increase security rm -f ~/certs.zip.

  5. Enable and start the Elasticsearch service:

    # systemctl daemon-reload
    # systemctl enable elasticsearch
    # systemctl start elasticsearch
    

    Choose one option according to the OS used:

    1. Debian based OS

    # update-rc.d elasticsearch defaults 95 10
    # service elasticsearch start
    
    1. RPM based OS

    # chkconfig --add elasticsearch
    # service elasticsearch start
    
  6. Generate credentials for all the Elastic Stack pre-built roles and users:

    # /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
    

    The command above will prompt an output like this. Save the password of the elastic user for further steps:

    Changed password for user apm_system
    PASSWORD apm_system = lLPZhZkB6oUOzzCrkLSF
    
    Changed password for user kibana_system
    PASSWORD kibana_system = TaLqVOnSoqKTYLIU0vDn
    
    Changed password for user kibana
    PASSWORD kibana = TaLqVOvXoqKTYLIU0vDn
    
    Changed password for user logstash_system
    PASSWORD logstash_system = UtuDv2tWkXGYL83v9kWA
    
    Changed password for user beats_system
    PASSWORD beats_system = qZcbvCslafMpoEOrE9Ob
    
    Changed password for user remote_monitoring_user
    PASSWORD remote_monitoring_user = LzJpQiSylncmCU2GLBTS
    
    Changed password for user elastic
    PASSWORD elastic = AN4UeQGA7HGl5iHpMla7
    

Disabling repositories

This installation guide describes how to install and configure Wazuh and Elastic Stack by first configuring their repositories.

With each new release of Wazuh or Elastic Stack, the development team at Wazuh thoroughly tests the compatibility of each component and performs necessary adjustments before releasing a new Wazuh Kibana plugin.

We recommend disabling the repositories so that the individual packages will not be updated unintentionally which could potentially lead to having a version of the Elastic Stack for which the Wazuh integration has not been released yet.

# sed -i "s/^enabled=1/enabled=0/" /etc/yum.repos.d/elastic.repo
# sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/elastic-7.x.list
# apt-get update
# sed -i "s/^enabled=1/enabled=0/" /etc/zypp/repos.d/elastic.repo

To uninstall Elasticsearch, visit the uninstalling section.

Next steps

The next step is the installation of the Wazuh server, select the cluster mode: