Elasticsearch single-node cluster

Install Elasticsearch on a single-node cluster. Open Distro for Elasticsearch is an open source distribution of Elasticsearch, a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other additional features.


Root user privileges are necessary to run all the commands.

Adding the Wazuh repository

  1. Install the necessary packages for the installation:

    # yum install curl unzip wget
  2. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
  3. Add the repository:

    # cat > /etc/yum.repos.d/wazuh.repo << EOF
    name=EL-$releasever - Wazuh
  1. Install the necessary packages for the installation:

    # apt install curl apt-transport-https unzip wget software-properties-common
  2. Install the GPG key:

    # curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
  3. Add the repository:

    # echo "deb https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list
  4. Update the package information:

    # apt-get update
  1. Install the necessary packages for the installation:

    # zypper install curl unzip wget
  2. Import the GPG key:

    # rpm --import https://packages.wazuh.com/key/GPG-KEY-WAZUH
  3. Add the repository:

    # cat > /etc/zypp/repos.d/wazuh.repo <<\EOF
    name=EL-$releasever - Wazuh

Elasticsearch installation

Install Open Distro for Elasticsearch:

Install Open Distro for Elasticsearch:

# yum install opendistroforelasticsearch

Install Elasticsearch OSS and Open Distro for Elasticsearch:

# apt install elasticsearch-oss opendistroforelasticsearch

Install Open Distro for Elasticsearch:

# zypper install opendistroforelasticsearch

Elasticsearch configuration

Once Elasticsearch is installed, download the preconfigured configuration file:

# curl -so /etc/elasticsearch/elasticsearch.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/7.x/elasticsearch.yml

This file configures Elasticsearch to use for the network.host variable, so it accepts communications directed to any of its IP addresses instead of binding to the IP of a specific network interface in the host. Access may be restricted to a specific network interface by specifying its IP in this setting so Elasticsearch is not unnecessarily exposed.

Elasticsearch roles and users

You need to add users and roles in order to use the Wazuh Kibana plugin properly.

# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/roles.yml
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/roles_mapping.yml
# curl -so /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml https://packages.wazuh.com/resources/4.1/open-distro/elasticsearch/roles/internal_users.yml

Wazuh users added in Kibana by running the commands above:


It is created for users who need read-only access to the Wazuh Kibana plugin.


It is recommended for users who need administrative privileges.

Wazuh additional roles added in Kibana to give the appropriate permissions to users:


It provides wazuh_user with permissions to read the Wazuh indices.


It allows wazuh_admin to perform reading, writing, management, and indexing tasks on the Wazuh indices.

These users and roles are designed to operate along with the Wazuh Kibana plugin, but they are protected and cannot be modified from the Kibana interface. To modify them or add new users or roles, the securityadmin script has to be run.

Certificates creation and deployment

  1. Remove the demo certificates:

    # rm /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/esnode.pem /etc/elasticsearch/kirk-key.pem /etc/elasticsearch/kirk.pem /etc/elasticsearch/root-ca.pem -f
  2. Generate and deploy the certificates:

    1. Download the wazuh-cert-tool.sh to create the certificates:

      # curl -so ~/wazuh-cert-tool.sh https://packages.wazuh.com/resources/4.1/open-distro/tools/certificate-utility/wazuh-cert-tool.sh
      # curl -so ~/instances.yml https://packages.wazuh.com/resources/4.1/open-distro/tools/certificate-utility/instances.yml
    2. Edit ~/instances.yml and replace the values <node-name> and node-IP with the corresponding names and IP addresses. Add as many nodes fields as needed:

      # Elasticsearch nodes
        - name: <node-name>
            - node-IP
      # Wazuh server nodes
        - name: <node-name>
            - node-IP
      # Kibana node
        - name: <node-name>
            - node-IP

      To learn more about how to create and configure the certificates, see the Certificates deployment section.

    3. Run the wazuh-cert-tool.sh to create the certificates:

      #  bash ~/wazuh-cert-tool.sh
    4. Replace elasticsearch-node-name with your Elasticsearch node name, the same used in instances.yml to create the certificates, and move the certificates to their corresponding location:

      # node_name=elasticsearch-node-name
      # mkdir /etc/elasticsearch/certs/
      # mv ~/certs/$node_name* /etc/elasticsearch/certs/
      # mv ~/certs/admin* /etc/elasticsearch/certs/
      # cp ~/certs/root-ca* /etc/elasticsearch/certs/
      # mv /etc/elasticsearch/certs/$node_name.pem /etc/elasticsearch/certs/elasticsearch.pem
      # mv /etc/elasticsearch/certs/$node_name-key.pem /etc/elasticsearch/certs/elasticsearch-key.pem
    5. Compress all the necessary files to be sent to all the instances:

      # cd ~/certs/
      # tar -cvf certs.tar *
      # mv ~/certs/certs.tar ~/
    6. Copy certs.tar to all the servers of the distributed deployment. This can be done by using, for example, scp.

    7. If Kibana will be installed on this node, keep the certificates file. Otherwise, if the file is already copied to all the instances of the distributed deployment, remove it to increase security rm -f certs.tar.

  3. Enable and start the Elasticsearch service:

    # systemctl daemon-reload
    # systemctl enable elasticsearch
    # systemctl start elasticsearch

    Choose one option according to the operating system used:

    1. RPM based operating system:

    # chkconfig --add elasticsearch
    # service elasticsearch start
    1. Debian based operating system:

    # update-rc.d elasticsearch defaults 95 10
    # service elasticsearch start
  4. Run the Elasticsearch securityadmin script to load the new certificates information and start the cluster. To run this command, the value <elasticsearch_IP> must be replaced by the Elasticsearch installation IP:

# export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem -h <elasticsearch_IP>

Run the following command to ensure that the installation is successful:

# curl -XGET https://localhost:9200 -u admin:admin -k

An example response should look as follows:

  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "tWYgqpgdRz6fGN8gH11flw",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "rpm",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  "tagline" : "You Know, for Search"


The Open Distro for Elasticsearch performance analyzer plugin is installed by default and can have a negative impact on system resources. We recommend removing it with the following command /usr/share/elasticsearch/bin/elasticsearch-plugin remove opendistro-performance-analyzer. Make sure to restart the Elasticsearch service afterward.


It is highly recommended to change the default passwords of Elasticsearch for the users’ passwords. To perform this action, see the Elasticsearch tuning section.

It is also recommended to customize the file /etc/elasticsearch/jvm.options in order to improve the performance of Elasticsearch. Learn more about this process in the user manual.

To uninstall Elasticsearch, see the Uninstalling section.

Next steps

You can now proceed with the Wazuh server installation. To do so, choose the cluster mode.