Elasticsearch Installation (Windows)

This section presents the steps to set up a simple single node Elasticsearch cluster, which includes an instance of Kibana.

If you are setting up a production environment, then you will want to set up an Elasticsearch cluster. More information on this can be found on the Elasticsearch web site.

Prerequisites

  • Download the correct version of Elasticsearch and Kibana for the version of Aiimi Insight Engine that you are deploying. This will be in the release notes for your distribution.

  • Obtain your XPack Elasticsearch licence (or you can enable the trial).

  • Download NSSM to run Kibana as a service.

Install Services

  • Open an administrator command prompt/Powershell and navigate to the bin folder within the Elasticsearch directory. Run the command: .\elasticsearch-service.bat install

  • Then to install Kibana run from nssm directory nssm install or .\nssm.exe install (note that the Kibana zip file contains very long folder names, so ensure it is stored to as short a file path as possible before extracting)

    • Navigate the Path field to the Kibana.bat file and add a Service Name & Display Name (details tab)

    • Add a dependency to Elasticsearch using the service name "elasticsearch-service-x64" (dependencies tab)

    • Note: if you want to run Kibana without installing then from a command prompt navigate to the \bin folder where you have placed Kibana, then run .\kibana.bat serve. This will allow you to identify any issues which are less obvious if you just go straight for the install (Ctrl + C to close down once tested)

Setting up HTTPS for Elasticsearch

Note before starting: After the first step Elastic/Kibana won’t be usable until this section is completed.

Most of this follows the elastic documentation for setting up TLS on a cluster

  • In a web browser navigate to localhost:5601, to the Management tab on the left and open Elastic License Management (may be via Stack Management)

    • Add the license.json file downloaded at the start to enable XPack

    • Note: This will cause Kibana to throw an access error, this is normal. If it doesn't, check that Elastic hasn't been installed before in 'Programs and Features' (and remove it if it's present)

  • In an Admin Command Prompt navigate to the bin folder in the elastic directory and run .\elasticsearch-setup-passwords.bat interactive (note you may get an error at this stage It doesn't look like the X-Pack security feature is enabled on this Elasticsearch node. - if so open the elasticsearch.yml file and add the line xpack.security.enabled: true)

    • This will ask you to enable several passwords, for a local install just set them all to 'changeme'

  • In the same location run .\elasticsearch-certutil ca

    • When prompted for an output file, press enter to leave as default, then when prompted for a password (if on a local install) use 'changeme'

    • This will generate a file called 'elastic-stack-ca.p12' in the elastic directory

  • Then run .\elasticsearch-certutil cert --ca [FullFilePathTo]elastic-stack-ca.p12

    • Enter 'changeme' for the ca password and then repeat the steps as above

    • This will generate a file called 'elasticsearch-certificates.p12' in the elastic directory

  • Move both of these generated files to a new folder in 'elasticsearch/config/' called 'certs'

  • NOTE: Elastic and Kibana config file additions must match exactly what’s given below, including spaces.

  • With this completed, in windows explorer navigate to '[elasticsearch directory]/config', open the 'elasticsearch.yml' file in notepad++ and add these lines at the bottom:

    • xpack.security.enabled: true

    • xpack.security.transport.ssl.enabled: true

    • xpack.security.transport.ssl.verification_mode: certificate

    • xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12

    • xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

  • With these added, add the certificate passwords to the keystore and truststore by running the following commands in the command prompt from the 'elasticsearch/bin' folder, adding the certificate passwords when prompted

    • .\elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

    • .\elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

  • Going back to the 'elasticsearch.yml' file and add the following to enable https communication with elasticsearch

    • xpack.security.http.ssl.enabled: true

    • xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12

    • xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12

  • Followed by adding the certificate passwords to the key/truststores again

    • .\elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

    • .\elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password

  • Lastly, navigate to the 'kibana.yml' file in the kibana/config directory, open in Notepad++ and uncomment the following options, changing the values to the following (or whatever the kibana username/password was set as):

    • elasticsearch.username: "elastic"

    • elasticsearch.password: "changeme"

    • elasticsearch.ssl.verificationMode: none

  • And add these lines to the end:

    • server.host: "0.0.0.0"

    • elasticsearch.url: https://localhost:9200

  • Restart the elasticsearch and kibana services and navigate to http://localhost:5601/login?next=%2Fapp%2Fdev_tools#/console, logging in with 'elastic:changeme' to verify that everything is working correctly

  • Configure the AV scanner to exclude the Elastic data folders