In a previous post, we installed Elastic 7.1x. In this post, we are installing the new shiny toy from Elastic, Elastic 8.1
First up, install Elastic public signing key.
securitynik@securitynik:~$ wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
Install the apt-transport-https package
securitynik@securitynik:~$ sudo apt-get install apt-transport-https ... Preparing to unpack .../apt-transport-https_2.0.6_all.deb ... Unpacking apt-transport-https (2.0.6) ... Setting up apt-transport-https (2.0.6) ..
Save the Elastic repo information
securitynik@securitynik:~$ echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main
Install Elasticsearch 8.1
securitynik@securitynik:~$ sudo apt-get update && sudo apt-get install elasticsearch ------------ The following NEW packages will be installed: elasticsearch ... Preparing to unpack .../elasticsearch_8.1.1_amd64.deb ... Creating elasticsearch group... OK Creating elasticsearch user... OK Unpacking elasticsearch (8.1.1) ... Setting up elasticsearch (8.1.1) ... --------------------------- Security autoconfiguration information ------------------------------ Authentication and authorization are enabled. TLS for the transport and HTTP layers is enabled and configured. The generated password for the elastic built-in superuser is : Laqr4gkhwa-Do=Ctia15 If this node should join an existing cluster, you can reconfigure this with '/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>' after creating an enrollment token on your existing cluster. You can complete the following actions at any time: Reset the password of the elastic built-in superuser with '/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'. Generate an enrollment token for Kibana instances with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'. Generate an enrollment token for Elasticsearch nodes with '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'. ------------------------------------------------------------------------------------------------- ### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd sudo systemctl daemon-reload sudo systemctl enable elasticsearch.service ### You can start elasticsearch service by executing sudo systemctl start elasticsearch.service -----------
Make configuration change to customize this deployment for our environment. First make a backup copy of the configuration file.
securitynik@securitynik:~$ sudo cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.ORIGINAL
Here are the changes to my elasticsearch.yml.
securitynik@securitynik:~$ sudo grep --invert-match "^#" /etc/elasticsearch/elasticsearch.yml cluster.name: n3-elastic node.name: securitynik.n3.local node.attr.rack: ServerCloset path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: securitynik.local http.port: 9200 xpack.security.enabled: true xpack.security.enrollment.enabled: true xpack.security.http.ssl: enabled: true keystore.path: certs/http.p12 xpack.security.transport.ssl: enabled: true verification_mode: certificate keystore.path: certs/transport.p12 truststore.path: certs/transport.p12 cluster.initial_master_nodes: ["securitynik"] http.host: [_local_, _site_]
Adjusting the Java Virtual Machine (JVM) Heap Size by first creating a file.
securitynik@securitynik:~$ sudo cat /etc/elasticsearch/jvm.options.d/jvm.options -Xms16g -Xmx16g
Add new host information to my host file, just in case DNS is not working.
securitynik@securitynik:~$ sudo bash -c "echo 10.0.0.4 peeping-tom peeping-tom.n3.local >> /etc/hosts"
securitynik@securitynik:~$ grep peeping-tom /etc/hosts
127.0.1.1 securitynik 10.0.0.4 securitynik securitynik.local
Make a copy of the CA and HTTP certs to /etc/ssl/certs, so that it is in a location easily readable by the rest of the applications.
securitynik@securitynik:~$ sudo cp /etc/elasticsearch/certs/http_ca.crt /etc/ssl/certs -v
Reload systemd daemon, enable and verify Elasticsearch service
securitynik@securitynik:~$ sudo /bin/systemctl enable elasticsearch.service Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service. securitynik@securitynik:~$ sudo systemctl start elasticsearch.service securitynik@securitynik:~$ systemctl status elasticsearch.service ● elasticsearch.service - Elasticsearch Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2022-03-30 19:53:03 EDT; 18s ago Docs: https://www.elastic.co Main PID: 76746 (java) Tasks: 80 (limit: 38298) Memory: 16.9G CGroup: /system.slice/elasticsearch.service ├─76746 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cac> └─77051 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller Mar 30 19:52:47 securitynik systemd[1]: Starting Elasticsearch... Mar 30 19:53:03 securitynik systemd[1]: Started Elasticsearch. lines 1-13/13 (END)
Confirming the Elasticsearch ports are listening for incoming communication.
securitynik@securitynik:~$ sudo ss --numeric --listening --tcp --processes | grep --perl-regexp "9300|9200" LISTEN 0 4096 [::ffff:10.0.0.4]:9200 *:* users:(("java",pid=76746,fd=386)) LISTEN 0 4096 [::ffff:127.0.0.1]:9200 *:* users:(("java",pid=76746,fd=385)) LISTEN 0 4096 [::1]:9200 [::]:* users:(("java",pid=76746,fd=384)) LISTEN 0 4096 [::ffff:10.0.0.4]:9300 *:* users:(("java",pid=76746,fd=382))
Connecting to the Elasticsearch service via https
securitynik@securitynik:~$ sudo curl https://10.0.0.4:9200 --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic Enter host password for user 'elastic': { "name" : "securitynik.n3.local", "cluster_name" : "n3-elastic", "cluster_uuid" : "KDh-JRfXQtuXjXo2hniQjg", "version" : { "number" : "8.1.1", "build_flavor" : "default", "build_type" : "deb", "build_hash" : "d0925dd6f22e07b935750420a3155db6e5c58381", "build_date" : "2022-03-17T22:01:32.658689558Z", "build_snapshot" : false, "lucene_version" : "9.0.0", "minimum_wire_compatibility_version" : "7.17.0", "minimum_index_compatibility_version" : "7.0.0" }, "tagline" : "You Know, for Search" }
Good stuff! We have validated Elasticsearch is working as expected.
Installing Kibana on
Considering all the heavy lifting was done above, time to install Kibana.
securitynik@securitynik:~$ sudo apt-get update && sudo apt-get install kibana ... Preparing to unpack .../kibana_8.1.1_amd64.deb ... Unpacking kibana (8.1.1) ... Setting up kibana (8.1.1) ... Creating kibana group... OK Creating kibana user... OK Created Kibana keystore in /etc/kibana/kibana.keystore
Make a copy of the Kibana configuration file.
securitynik@securitynik:~$ sudo cp /etc/kibana/kibana.yml /etc/kibana.yml.ORIGINAL
Generate a token
securitynik@securitynik:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana eyM4XXIiOiI4LjEuMSIsImFkciI6WyIxOTIuMTY4LjAuNDo5MjAwIl0sImZnciI6ImUyMjRhMTkyMzkwMzE1MzM2MjM5MjFmMDMyYjZhOTVlMDcwZDY3Mzk2NGE0M2ZmOWQ5OWU5OTc3ZmI4NTI2YmYiLCJrZXkiOiI0c25pM1g4QmtmdzFwTU9VUDEyqapaOTg9DTJtSFNtLTFMSjVzX3g0ckZ3In0=
Generate encryption keys for SavedObjects, Reports, Dashboards, etc.
securitynik@securitynik:~$ sudo /usr/share/kibana/bin/kibana-encryption-keys generate ## Kibana Encryption Key Generation Utility The 'generate' command guides you through the process of setting encryption keys for: xpack.encryptedSavedObjects.encryptionKey Used to encrypt stored objects such as dashboards and visualizations https://www.elastic.co/guide/en/kibana/current/xpack-security-secure-saved-objects.html#xpack-security-secure-saved-objects xpack.reporting.encryptionKey Used to encrypt saved reports https://www.elastic.co/guide/en/kibana/current/reporting-settings-kb.html#general-reporting-settings xpack.security.encryptionKey Used to encrypt session information https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html#security-session-and-cookie-settings Already defined settings are ignored and can be regenerated using the --force flag. Check the documentation links for instructions on how to rotate encryption keys. Definitions should be set in the kibana.yml used configure Kibana. Settings: xpack.encryptedSavedObjects.encryptionKey: f4667a5634faf22053dbd40d91afa8b5 xpack.reporting.encryptionKey: f03f17de223aced044cd3afb42de3137 xpack.security.encryptionKey: f17be84bbaa17dc9cb8a06cb95e0d5be
Add the last 3 lines from above, to the kibana.yml file and start the Kibana service.
securitynik@securitynik:~$ sudo /bin/systemctl daemon-reload securitynik@securitynik:~$ sudo /bin/systemctl enable kibana.service securitynik@securitynik:~$ sudo systemctl start kibana.service ------------- securitynik@securitynik:~$ sudo systemctl status kibana.service ● kibana.service - Kibana Loaded: loaded (/lib/systemd/system/kibana.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2022-03-30 22:56:14 EDT; 8s ago Docs: https://www.elastic.co Main PID: 102001 (node) Tasks: 11 (limit: 38298) Memory: 231.7M CGroup: /system.slice/kibana.service └─102001 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist Mar 30 22:56:14 securitynik systemd[1]: Started Kibana. Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.275-04:00][INFO ][plugins-service] Plugin "metricsEntities" is disabled. Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.345-04:00][INFO ][http.server.Preboot] http server running at http://192> Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.372-04:00][INFO ][plugins-system.preboot] Setting up [1] plugins: [inter> Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.374-04:00][INFO ][preboot] "interactiveSetup" plugin is holding setup: V> Mar 30 22:56:21 securitynik kibana[102001]: [2022-03-30T22:56:21.399-04:00][INFO ][root] Holding setup until preboot stage is completed. Mar 30 22:56:21 securitynik kibana[102001]: i Kibana has not been configured. Mar 30 22:56:21 securitynik kibana[102001]: Go to http://10.0.0.4:5601/?code=452840 to get started.
Open the URL identified above in a browser and add the previously created token for Kibana.
Once the token is added, we should see below.
With the above completing successfully. Time to login to the UI, using the initially created user.
After all the changes, here is what my kibana.yml looks like
securitynik@securitynik:~$ sudo grep --perl-regexp --invert-match "^#" /etc/kibana/kibana.yml server.host: "10.0.0.4" server.publicBaseUrl: "http://10.0.0.4:5601" server.name: "kibana.n3.local" logging: appenders: file: type: file fileName: /var/log/kibana/kibana.log layout: type: json root: appenders: - default - file pid.file: /run/kibana/kibana.pid xpack.encryptedSavedObjects.encryptionKey: d2667a5634faf33053dbd40d91afa8c9 xpack.reporting.encryptionKey: f03f17de223aced044cd3afb42de4398 xpack.security.encryptionKey: f17be84bbaa17dc9cb8a06cb95e0f437 elasticsearch.hosts: ['https://10.0.0.4:9200'] elasticsearch.serviceAccountToken: BBEAAWVsYXN0aWMva2liYW5hL3Vucm9sbC1wcm9jZXNzLM2va2VuLTE2NDg2OTU1ODcwMDg6OVlHSWhfaFlRQXVzMFhVcWZqSTdNZw elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1648695587748.crt] xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://10.0.0.4:9200'], ca_trusted_fingerprint: e224a19239031533623921f032b6a06e070d673964a43ff9d99e9977fb8526bd}]
No comments:
Post a Comment