# Elasticsearch Installation

## Contents

* Download Elasticsearch public GPG Key and souces list
* Installing Elasticsearch
* Directory layout
* Setting up initial configuration
* Starting Elasticsearch
* Setting security features
* Checking status using teh REST API

### Import Elasticsearch public GPG key into APT

In [1]:
%%bash
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -


OK




#### Validate previous step

##### Validate that the gpg key has been added to your key ring with the following command:

~~~~~
sudo apt-key list
~~~~~

### Add Elastic source List
##### Now, we will add Elastic source list to our system's sources.list.d directory. When making a system update, APT looks at this directory for new sources.

In [2]:
%%bash
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

deb https://artifacts.elastic.co/packages/7.x/apt stable main


#### Validate previous step

##### We now need to confirm that we have successfully added the new source list into our sources.list.d:

~~~~~
sudo ls /etc/apt/sources.list.d

sudo cat /etc/apt/sources.list.d/elastic-7.x.list 
~~~~~

### Update your system and install elasticsearch

In [3]:
%%bash
sudo apt update

Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Hit:2 http://zone-r2.clouds.archive.ubuntu.com/ubuntu bionic InRelease
Get:3 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [574 kB]
Get:4 http://zone-r2.clouds.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:5 http://zone-r2.clouds.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/universe Translation-en [187 kB]
Get:7 http://zone-r2.clouds.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [694 kB]
Get:8 http://zone-r2.clouds.archive.ubuntu.com/ubuntu bionic-updates/main Translation-en [254 kB]
Get:9 http://zone-r2.clouds.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [977 kB]
Get:10 https://artifacts.elastic.co/packages/7.x/apt stable InRelease [5620 B]
Get:11 http://zone-r2.clouds.archive.ubuntu.com/ubuntu bionic-updates/universe Translation-en [296 kB]
Get:12 http://z





In [4]:
%%bash
sudo apt install -y elasticsearch

Reading package lists...
Building dependency tree...
Reading state information...
The following package was automatically installed and is no longer required:
  grub-pc-bin
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
  elasticsearch
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 337 MB of archives.
After this operation, 536 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 elasticsearch amd64 7.2.0 [337 MB]
Fetched 337 MB in 48s (7003 kB/s)
Selecting previously unselected package elasticsearch.
(Reading database ... 97247 files and directories currently installed.)
Preparing to unpack .../elasticsearch_7.2.0_amd64.deb ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Unpacking elasticsearch (7.2.0) ...
Processing triggers for ureadahead (0.100.0-21) ...
Setting up elasticsearch (7.2.0) ...
Created elasticsearch keystore in /etc/elast



dpkg-preconfigure: unable to re-open stdin: No such file or directory


#### Reload the systemctl daemon
##### After installing each application, it is necesary to reload systemd's darmon using the command below:

~~~~
sudo systemctl daemon-reload
~~~~

### Directory Layout

| Type | Description | Location |
|------|-------------|----------|
| home |  Home of Elasticsearch installation | /usr/share/elasticsearch/ |
| bin  | Binary scripts | /usr/share/elasticsearch/bin |
| conf | Configuration files | /etc/elasticsearch |
| conf | Environment variables (such as heap size) and file descriptors | /etc/default/elasticsearch |
| data | Data files of each index/shard allocated on the node | /var/lib/elasticsearch |
| logs | Log files | /var/log/elasticsearch |
| plugins | Location of plugin files. Each plugin is contain in their own subdirectory | /usr/share/elasticsearch/plugins |

##### You check the contents in some of these directories using:

~~~~~
sudo ls /PATH/TO/DIRECTORY
~~~~~


### Edit elasticsearch configuration

##### Now that we have installed elasticsearch, we will edit Elasticsearch's main configuration file, "elasticsearch.yml". The configuration file is set in YAML format, meaning that indentations and spaces are very important. We will use nano to edit this file:

~~~~~
sudo nano /etc/elasticsearch/elasticsearch.yml
~~~~~

##### Once you access this file lets us take a look at some of the default configuration and change it to our convenience.

##### Let is start by editing the binding address set in the network settings. We will uncomment and change the "network.hosts"

##### From:

~~~~~
#network.host: 192.168.0.1
~~~~~

##### To:

~~~~~
network.host: localhost
~~~~~

##### We can also observe that the REST API from Elasticsearch listens on port 9200. Any user capable of sending a REST call to this port is able to obtain information from our Elasticsearch cluster (In our case a single node). Due to this, it is better to restrict external traffic to this port using a firewall.

##### We can validate to which IP localhost is associated to by checking the configuration set on our system's hosts file:

~~~~~
sudo cat /etc/hosts
~~~~~

### Start Elasticsearch

##### Now that we have edited our configuration file we can proceed to start elasticsearch

In [5]:
%%bash
sudo systemctl start elasticsearch

### Enabling Elasticsearch service

##### Next, let us proceed to enable elasticsearch in order to start up everytime your system boots up. The bootup configutarion file that sets what elasticsearch requires before launching, the home directory, configuration directory, the user under which the process will be launched is set in the file below. This is a file generated by elasticsearch in systemd which controls the boot pro

~~~~~
sudo cat /etc/systemd/system/multi-user.target.wants/elasticsearch.service
~~~~~

### Communicating with Elasticsearch

##### As of now, we are able to communicate with elasticsearch using the REST API. As an example we can verify if it is running by typing the following command:

~~~~~
curl -X GET localhost:9200
~~~~~


In [6]:
%%bash
sudo systemctl enable elasticsearch

Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /usr/lib/systemd/system/elasticsearch.service.


### Enable Elasticsearch Security Features

##### As we could observe, we can easily send requests using the REST API to elasticsearch on port 9200. This is possible to do from any part of the world is the system is not secured properly. By default, elasticsearch basic and trial licenses have security features disabled by default. 

##### First of all, we will add the following lines to the elasticsearch configuration file to enable the security features:

In [7]:
%%bash

#sudo sed -i "i88 # --- Security Festures ---" /etc/elasticsearch/elasticsearch.yml
#sudo sed -i "i89 xpack.security.enabled: true" /etc/elasticsearch/elasticsearch.yml

echo "#" | sudo tee --append /etc/elasticsearch/elasticsearch.yml
echo "# --- Security Festures ---" | sudo tee --append /etc/elasticsearch/elasticsearch.yml
echo "xpack.security.enabled: true" | sudo tee --append /etc/elasticsearch/elasticsearch.yml

#
# --- Security Festures ---
xpack.security.enabled: true


##### In addition we want to enable single-node discovery as  we are deploying elasticsearch in a single node. In multi-node clusters, we must enable security features ine very single node and it is recommended to configure TLS for internode-communication to prevent other unknown nodes from being added to your cluster.

In [8]:
%%bash
sudo sed -i "68idiscovery.type: single-node" /etc/elasticsearch/elasticsearch.yml
sudo sed -i "69i#" /etc/elasticsearch/elasticsearch.yml

### Generate passwords for built-in users
##### By default, basic authentication features are enabled after enabling the security features. Before setting up any authentication, we must first make elasticsearch to load the new configuration by restarting it.

In [9]:
%%bash
sudo systemctl restart elasticsearch

##### Now let we will proceed to generate passwords for built-in users by typing the following command in our terminal:

~~~~~
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
~~~~~

##### Through this process you will set a password for the following built-in users: elastic, apm_system, kibana, logstash_system, beats_system, and remote_monitoring_user.

| User | Description |
|------|-------------|
| elastic |A built-in superuser. See Built-in roles. |
| kibana | The user Kibana uses to connect and communicate with Elasticsearch. |
| logstash_system | The user Logstash uses when storing monitoring information in Elasticsearch. |
| beats_system | The user the Beats use when storing monitoring information in Elasticsearch. |
| apm_system | The user the APM server uses when storing monitoring information in Elasticsearch. |
| remote_monitoring_user |The user Metricbeat uses when collecting and storing monitoring information in Elasticsearch. It has the remote_monitoring_agent and remote_monitoring_collector built-in roles. |

##### Alternativery, you can type the command below to generate a random passowrd for each user using the command below:

~~~~
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
~~~~


##### Now that we have set our authentication in elasticsearch, let us try again to connect to elasticsearch using the REST API.

##### Type in your terminal the following:

~~~~~
curl -X GET localhost:9200
~~~~~

##### What results did you got?

##### Now let us try using our new credentials using the elastic SUPERUSER

~~~~
curl -u elastic:elasticsiem -XGET localhost:9200
~~~~

##### By default elsaticsearch uses the internal native real to manage user's authentication.

##### For more information about the built-in roles, authentication realms, and to set passwords for a specific users please see the following links.

### References

https://www.elastic.co/guide/en/elastic-stack-overview/current/built-in-roles.html

https://www.elastic.co/guide/en/elastic-stack-overview/current/realms.html

https://www.elastic.co/guide/en/elastic-stack-overview/current/built-in-users.html

https://www.elastic.co/guide/en/beats/filebeat/current/directory-layout.html