Monday, October 5, 2020

Security On The Cheap - Beginning Elastic Stack - Installing Elastic 7.9 on Ubuntu 20.04

In this post, we are installing Elastic Stack version 7.9 on Ubuntu 20.04. I would like to think this process should work for versions just prior to 7.9 and may also work for versions just after.

root@securitynik-monitoring:~# lsb_release --all
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:        20.04
Codename:       focal

First step, let's update the server, ensuring we have all the necessary updates.

root@securitynik-monitoring:~# apt-get update && apt-get upgrade -y

Now that the server is up-to-date, let's install Elasticsearch.

Import Elasticsearch PGP Key. This will be used throughout our install for the rest of the components.

root@securitynik-monitoring:~# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
OK

Now install the the "apt-transport-https" package and save the repository definition.

root@securitynik-monitoring:~# apt-get install apt-transport-https
root@securitynik-monitoring:~# echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
deb https://artifacts.elastic.co/packages/7.x/apt stable main

With the dependencies installed, time to install Elasticsearch.

root@securitynik-monitoring:~# apt-get update && apt-get install elasticsearch
...
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 elasticsearch amd64 7.9.2 [317 MB]
Fetched 317 MB in 10s (32.3 MB/s)
Selecting previously unselected package elasticsearch.
(Reading database ... 87809 files and directories currently installed.)
Preparing to unpack .../elasticsearch_7.9.2_amd64.deb ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Unpacking elasticsearch (7.9.2) ...
Setting up elasticsearch (7.9.2) ...
Created elasticsearch keystore in /etc/elasticsearch/elasticsearch.keystore
Processing triggers for systemd (245.4-4ubuntu3.2) ...

With Elasticsearch now installed, switch to the Elasticsearch configuration directory and modify the "elasticsearch.yml" file. My practice before modifying any configuration file, is to make a copy of it.

root@securitynik-monitoring:/etc/elasticsearch# cd /etc/elasticsearch/
root@securitynik-monitoring:/etc/elasticsearch# cp elasticsearch.yml elasticsearch.yml.ORIGINAL

Here are the values I un-commented and modified to reflect my environment.

root@securitynik-monitoring:~# cat /etc/elasticsearch/elasticsearch.yml | grep --perl-regexp "cluster.name|node.name|network.host|http.port|discovery.seed_hosts|cluster.initial.master_nodes"
cluster.name: securitynik.local
node.name: elastic-10.0.0.1
network.host: 10.0.0.1
http.port: 9200
discovery.seed_hosts: ["10.0.0.1"]
cluster.initial_master_nodes: ["10.0.0.1"]

Enable and start the Elasticsearch service via "systemctl".

root@securitynik-monitoring:/etc/elasticsearch# systemctl enable --now elasticsearch.service
Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service.

Verify that the service is running via "systemctl"

root@securitynik-monitoring:~# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2020-08-13 23:05:07 UTC; 4min 27s ago
       Docs: https://www.elastic.co
   Main PID: 18392 (java)
      Tasks: 44 (limit: 4563)
     Memory: 1.2G
     CGroup: /system.slice/elasticsearch.service
             ├─18392 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkad>
             └─18588 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Aug 13 23:04:12 securitynik-monitoring systemd[1]: Starting Elasticsearch...
Aug 13 23:05:07 securitynik-monitoring systemd[1]: Started Elasticsearch.

From above we, we see the service is "active (running)". We can further confirm the service is available by leveraging "ss" or "netstat" command, looking for the listening ports.

root@securitynik-monitoring:/etc/elasticsearch# ss --numeric --listen --process --tcp --udp
Netid State  Recv-Q  Send-Q          Local Address:Port   Peer Address:Port Process
...
tcp   LISTEN 0       4096     [::ffff:10.0.0.1]:9200              *:*     users:(("java",pid=18392,fd=267))
tcp   LISTEN 0       4096     [::ffff:10.0.0.1]:9300              *:*     users:(("java",pid=18392,fd=253))
...

So far everything suggests we have installed Elasticsearch successfully. Let's now confirm this by connecting to the Elasticsearch URL.

root@securitynik-monitoring:/etc/elasticsearch# curl --request GET --verbose "http://10.0.0.1:9200/?pretty" --header "User-Agent: www.securitynik.com"
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.0.0.1:9200...
* TCP_NODELAY set
* Connected to 10.0.0.1 (10.0.0.1) port 9200 (#0)
> GET /?pretty HTTP/1.1
> Host: 10.0.0.1:9200
> Accept: */*
> User-Agent: www.securitynik.com
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 529
<
{
  "name" : "elastic-10.0.0.1",
  "cluster_name" : "securitynik.local",
  "cluster_uuid" : "_na_",
  "version" : {
    "number" : "7.9.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "b5ca9c58fb664ca8bf9e4057fc229b3396bf3a89",
    "build_date" : "2020-07-21T16:40:44.668009Z",
    "build_snapshot" : false,
    "lucene_version" : "8.6.2",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host 10.0.0.1 left intact

Good stuff! All the tests suggest we have successfully installed Elasticsearch.

See you in the next post where we install and configure Kibana.

Posts in this series:

Security On The Cheap - Beginning Elastic Stack - Installing Elastic 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic Stack - Installing Kibana 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic Stack - Providing Basic Security to Elastic and Kibana 7.9 communication on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Metricbeat - Elastic Stack 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Auditbeat - Elastic Stack 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Filebeat - Elastic Stack 7.9 on Ubuntu 20.04
Beginning Elastic - Installing, Configuring and Providing Basic Security to Packetbeat
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Winlogbeat



References:

No comments:

Post a Comment