2017-06-19 21:01:52 -04:00
|
|
|
|
[role="xpack"]
|
|
|
|
|
[[installing-xpack-es]]
|
2017-08-11 12:15:20 -04:00
|
|
|
|
== Installing X-Pack in Elasticsearch
|
|
|
|
|
++++
|
|
|
|
|
<titleabbrev>Installing {xpack}</titleabbrev>
|
|
|
|
|
++++
|
2017-06-19 21:01:52 -04:00
|
|
|
|
|
|
|
|
|
After you install {es}, you can optionally obtain and install {xpack}.
|
|
|
|
|
For more information about how to obtain {xpack},
|
|
|
|
|
see https://www.elastic.co/products/x-pack.
|
|
|
|
|
|
|
|
|
|
You must run the version of {xpack} that matches the version of {es} you are running.
|
|
|
|
|
|
|
|
|
|
IMPORTANT: If you are installing {xpack} for the first time on an existing
|
|
|
|
|
cluster, you must perform a full cluster restart. Installing {xpack} enables
|
|
|
|
|
security and security must be enabled on ALL nodes in a cluster for the cluster
|
|
|
|
|
to operate correctly. When upgrading you can usually perform
|
|
|
|
|
a {ref}/rolling-upgrades.html[rolling upgrade].
|
|
|
|
|
|
|
|
|
|
To install {xpack} in {es}:
|
|
|
|
|
|
2017-07-25 21:30:09 -04:00
|
|
|
|
. Optional: If you want to install {xpack} on a machine that doesn't have
|
|
|
|
|
internet access:
|
|
|
|
|
|
|
|
|
|
.. Manually download the {xpack} zip file:
|
|
|
|
|
https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{version}.zip[
|
|
|
|
|
+https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{version}.zip+]
|
|
|
|
|
(https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-{version}.zip.sha1[sha1])
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
NOTE: The plugins for {es}, {kib}, and Logstash are included in the same zip
|
|
|
|
|
file. If you have already downloaded this file to install {xpack} on one of
|
|
|
|
|
those other products, you can reuse the same file.
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
.. Transfer the zip file to a temporary directory on the offline machine. (Do
|
|
|
|
|
NOT put the file in the {es} plugins directory.)
|
|
|
|
|
|
|
|
|
|
. Run `bin/elasticsearch-plugin install` from `ES_HOME` on each node in your
|
|
|
|
|
cluster:
|
2017-06-19 21:01:52 -04:00
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,shell]
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
bin/elasticsearch-plugin install x-pack
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
NOTE: If you are using a <<xpack-package-installation, DEB/RPM distribution>>
|
2017-07-25 21:30:09 -04:00
|
|
|
|
of {es}, run the installation with superuser permissions.
|
|
|
|
|
|
|
|
|
|
The plugin install scripts require direct internet access to download and
|
|
|
|
|
install {xpack}. If your server doesn’t have internet access, specify the
|
|
|
|
|
location of the {xpack} zip file that you downloaded to a temporary directory.
|
|
|
|
|
|
|
|
|
|
["source","sh",subs="attributes"]
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
bin/elasticsearch-plugin install file:///path/to/file/x-pack-{version}.zip
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
NOTE: You must specify an absolute path to the zip file after the `file://` protocol.
|
2017-06-19 21:01:52 -04:00
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. Confirm that you want to grant {xpack} additional permissions.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
TIP: Specify the `--batch` option when running the install command to
|
|
|
|
|
automatically grant these permissions and bypass these install prompts.
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
+
|
|
|
|
|
.. {xpack} needs these permissions to set the threat context loader during
|
|
|
|
|
install so {watcher} can send email notifications.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,shell]
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
|
|
|
@ WARNING: plugin requires additional permissions @
|
|
|
|
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
|
|
|
* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
|
|
|
|
|
* java.lang.RuntimePermission getClassLoader
|
|
|
|
|
* java.lang.RuntimePermission setContextClassLoader
|
|
|
|
|
* java.lang.RuntimePermission setFactory
|
|
|
|
|
* java.security.SecurityPermission createPolicy.JavaPolicy
|
|
|
|
|
* java.security.SecurityPermission getPolicy
|
|
|
|
|
* java.security.SecurityPermission putProviderProperty.BC
|
|
|
|
|
* java.security.SecurityPermission setPolicy
|
|
|
|
|
* java.util.PropertyPermission * read,write
|
|
|
|
|
* java.util.PropertyPermission sun.nio.ch.bugLevel write
|
|
|
|
|
* javax.net.ssl.SSLPermission setHostnameVerifier
|
|
|
|
|
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
|
|
|
|
|
for descriptions of what these permissions allow and the associated risks.
|
|
|
|
|
|
|
|
|
|
Continue with installation? [y/N]y
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
--
|
|
|
|
|
.. {xpack} requires permissions to enable {es} to launch the {ml} analytical
|
|
|
|
|
engine. The native controller ensures that the launched process is a valid
|
|
|
|
|
{ml} component. Once launched, communications between the {ml} processes and
|
|
|
|
|
{es} are limited to the operating system user that {es} runs as.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,shell]
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
|
|
|
@ WARNING: plugin forks a native controller @
|
|
|
|
|
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
|
|
|
|
This plugin launches a native controller that is not subject to
|
|
|
|
|
the Java security manager nor to system call filters.
|
|
|
|
|
|
|
|
|
|
Continue with installation? [y/N]y
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
--
|
|
|
|
|
|
2017-07-06 23:33:35 -04:00
|
|
|
|
. {xpack} will try to automatically create a number of indices within {es}.
|
|
|
|
|
By default, {es} is configured to allow automatic index creation, and no
|
|
|
|
|
additional steps are required. However, if you have disabled automatic index
|
|
|
|
|
creation in {es}, you must configure
|
2017-06-19 21:01:52 -04:00
|
|
|
|
{ref}/docs-index_.html#index-creation[`action.auto_create_index`] in
|
|
|
|
|
`elasticsearch.yml` to allow {xpack} to create the following indices:
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,yaml]
|
|
|
|
|
-----------------------------------------------------------
|
2017-06-27 10:27:28 -04:00
|
|
|
|
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*
|
2017-06-19 21:01:52 -04:00
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
--
|
2017-07-06 23:33:35 -04:00
|
|
|
|
+
|
|
|
|
|
[IMPORTANT]
|
|
|
|
|
=============================================================================
|
|
|
|
|
If you are using https://www.elastic.co/products/logstash[Logstash]
|
|
|
|
|
or https://www.elastic.co/products/beats[Beats] then you will most likely
|
|
|
|
|
require additional index names in your `action.auto_create_index` setting, and
|
|
|
|
|
the exact value will depend on your local configuration. If you are unsure of
|
|
|
|
|
the correct value for your environment, you may consider setting the value to
|
|
|
|
|
`*` which will allow automatic creation of all indices.
|
|
|
|
|
=============================================================================
|
2017-06-19 21:01:52 -04:00
|
|
|
|
|
2017-08-09 13:05:43 -04:00
|
|
|
|
. Change the passwords for the built-in users. For more information,
|
|
|
|
|
see {xpack-ref}/setting-up-authentication.html[Setting Up User Authentication].
|
|
|
|
|
.. If you have not already done so, bootstrap the password for the `elastic`
|
|
|
|
|
user by placing a password in the keystore of at least one node.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,shell]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
bin/elasticsearch-keystore create
|
|
|
|
|
bin/elasticsearch-keystore add "bootstrap.password"
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
After you run the "add" command, you will be prompted to enter a password. This
|
|
|
|
|
bootstrap password is only intended to be a transient password that is used to
|
|
|
|
|
help you set all the built-in user passwords.
|
|
|
|
|
--
|
|
|
|
|
|
2017-08-10 15:37:14 -04:00
|
|
|
|
.. If you have more than one node or a single node that listens on an external
|
|
|
|
|
interface, you must configure SSL/TLS for inter-node communication. Single-node
|
|
|
|
|
instances that use a loopback interface do not have this requirement. For more
|
|
|
|
|
information, see
|
2017-08-09 13:07:43 -04:00
|
|
|
|
{xpack-ref}/encrypting-communications.html[Encrypting Communications].
|
2017-08-09 13:05:43 -04:00
|
|
|
|
... Generate node certificates. For example, you can use the `certgen` command
|
|
|
|
|
line tool to generate a certificate authority and signed certificates for your
|
|
|
|
|
nodes.
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,shell]
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
bin/x-pack/certgen
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
This command generates a zip file with the CA certificate, private key, and
|
|
|
|
|
signed certificates and keys in the PEM format for each node that you specify.
|
|
|
|
|
If you want to use a commercial or organization-specific CA, you can use the
|
|
|
|
|
`-csr` parameter to generate certificate signing requests (CSR) for the nodes
|
|
|
|
|
in your cluster.
|
|
|
|
|
|
|
|
|
|
TIP: For easier setup, use the node name as the instance name when you run
|
|
|
|
|
this tool.
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
... Copy the certificate data into a directory within the {es} configuration
|
|
|
|
|
directory. For example,
|
|
|
|
|
`/home/es/config/certs`.
|
|
|
|
|
... Add the following information to the `elasticsearch.yml` on all nodes:
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,yaml]
|
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
xpack.ssl.key: certs/${node.name}/${node.name}.key <1>
|
|
|
|
|
xpack.ssl.certificate: certs/${node.name}/${node.name}.crt <2>
|
|
|
|
|
xpack.ssl.certificate_authorities: certs/ca/ca.crt <3>
|
|
|
|
|
xpack.security.authc.token.enabled: false <4>
|
|
|
|
|
-----------------------------------------------------------
|
|
|
|
|
<1> If this path does not exist on every node or the file name does not match
|
|
|
|
|
the `node.name` configuration setting, you must specify the full path to the
|
|
|
|
|
node key file.
|
|
|
|
|
<2> Alternatively, specify the full path to the node certificate.
|
|
|
|
|
<3> Alternatively specify the full path to the CA certificate.
|
2017-08-10 15:37:14 -04:00
|
|
|
|
<4> Disables the built-in token service.
|
2017-08-09 13:05:43 -04:00
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
.. Start {es}.
|
2017-06-19 21:01:52 -04:00
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,shell]
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
bin/elasticsearch
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
--
|
|
|
|
|
|
2017-08-09 13:05:43 -04:00
|
|
|
|
.. Set the passwords for all built-in users. You can update passwords from the
|
|
|
|
|
**Management > Users** UI in {kib}, use the `setup-passwords` tool, or use the
|
|
|
|
|
security user API. For example:
|
|
|
|
|
+
|
|
|
|
|
--
|
|
|
|
|
[source,shell]
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
bin/x-pack/setup-passwords interactive
|
|
|
|
|
--------------------------------------------------
|
|
|
|
|
If you prefer to have randomly generated passwords, specify `auto` instead of
|
|
|
|
|
`interactive`. If the node is not listening on "http://localhost:9200", use the
|
|
|
|
|
`-u` parameter to specify the appropriate URL.
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
. {kibana-ref}/installing-xpack-kb.html[Install {xpack} on {kib}].
|
|
|
|
|
|
|
|
|
|
. {logstash-ref}/installing-xpack-log.html[Install {xpack} on Logstash].
|
|
|
|
|
|
2017-06-19 21:01:52 -04:00
|
|
|
|
|
|
|
|
|
[float]
|
|
|
|
|
[[xpack-package-installation]]
|
|
|
|
|
=== Installing {xpack} on a DEB/RPM Package Installation
|
|
|
|
|
|
|
|
|
|
If you use the DEB/RPM packages to install {es}, by default {es} is installed
|
|
|
|
|
in `/usr/share/elasticsearch` and the configuration files are stored
|
|
|
|
|
in `/etc/elasticsearch`. (For the complete list of default paths, see
|
|
|
|
|
{ref}/deb.html#deb-layout[Debian Directory Layout] and
|
|
|
|
|
{ref}/rpm.html#rpm-layout[RPM Directory Layout] in the {es} Reference.)
|
|
|
|
|
|
|
|
|
|
To install {xpack} on a DEB/RPM package installation, you need to run
|
|
|
|
|
`bin/plugin install` from the `/usr/share/elasticsearch` directory with superuser
|
|
|
|
|
permissions:
|
|
|
|
|
|
|
|
|
|
[source,shell]
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
cd /usr/share/elasticsearch
|
|
|
|
|
sudo bin/elasticsearch-plugin install x-pack
|
|
|
|
|
----------------------------------------------------------
|
|
|
|
|
|
2017-08-14 17:19:39 -04:00
|
|
|
|
NOTE: If the configuration files are not in `/etc/elasticsearch` you need to
|
|
|
|
|
specify the location of the configuration files by setting the environment
|
|
|
|
|
variable `ES_PATH_CONF` via `ES_PATH_CONF=<path>`.
|