diff --git a/deploy-manage/deploy/_snippets/installation-order.md b/deploy-manage/deploy/_snippets/installation-order.md index 98fb295bf0..4819e02fa4 100644 --- a/deploy-manage/deploy/_snippets/installation-order.md +++ b/deploy-manage/deploy/_snippets/installation-order.md @@ -7,4 +7,8 @@ If you're deploying the {{stack}} in a self-managed cluster, then install the {{ * [APM](/solutions/observability/apps/application-performance-monitoring-apm.md) * [Elasticsearch Hadoop](elasticsearch-hadoop://reference/index.md) -Installing in this order ensures that the components each product depends on are in place. \ No newline at end of file +Installing in this order ensures that the components each product depends on are in place. + +:::{tip} +If you're deploying a production environment and you plan to use [trusted CA-signed certificates](/deploy-manage/security/self-setup.md#manual-configuration) for {{es}}, then you should do so before you deploy {{fleet}} and {{agent}}. If new security certificates are configured, any {{agent}}s need to be reinstalled, so we recommend that you set up {{fleet}} and {{agent}} with the appropriate certificates in place. +::: \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/auto-security-config-rpm-deb.md b/deploy-manage/deploy/self-managed/_snippets/auto-security-config-rpm-deb.md new file mode 100644 index 0000000000..77bd9bfc80 --- /dev/null +++ b/deploy-manage/deploy/self-managed/_snippets/auto-security-config-rpm-deb.md @@ -0,0 +1,11 @@ +When you start {{es}} for the first time, it automatically performs the following security setup: + +* Generates [TLS certificates](#stack-security-certificates) for the [transport and HTTP layers](/deploy-manage/security/secure-cluster-communications.md#communication-channels) +* Applies TLS configuration settings to `elasticsearch.yml` +* Creates an enrollment token to securely connect {{kib}} to {{es}} + +You can then start {{kib}} and enter the enrollment token, which is valid for 30 minutes. This token automatically applies the security settings from your {{es}} cluster, authenticates to {{es}} with the built-in `kibana` service account, and writes the security configuration to `kibana.yml`. + +::::{note} +There are [some cases](/deploy-manage/security/self-auto-setup.md#stack-skip-auto-configuration) where security can’t be configured automatically because the node startup process detects that the node is already part of a cluster, or that security is already configured or explicitly disabled. +:::: \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/auto-security-config.md b/deploy-manage/deploy/self-managed/_snippets/auto-security-config.md index 60a1268da3..f47f164982 100644 --- a/deploy-manage/deploy/self-managed/_snippets/auto-security-config.md +++ b/deploy-manage/deploy/self-managed/_snippets/auto-security-config.md @@ -1,4 +1,4 @@ -When you start {{es}} for the first time, it automatically performs the following security setup: +When you start your first {{es}} node for the first time, it automatically performs the following security setup: * Generates [TLS certificates](#stack-security-certificates) for the [transport and HTTP layers](/deploy-manage/security/secure-cluster-communications.md#communication-channels) * Applies TLS configuration settings to `elasticsearch.yml` diff --git a/deploy-manage/deploy/self-managed/_snippets/check-es-running.md b/deploy-manage/deploy/self-managed/_snippets/check-es-running.md index 8ad6e585ad..173b76884e 100644 --- a/deploy-manage/deploy/self-managed/_snippets/check-es-running.md +++ b/deploy-manage/deploy/self-managed/_snippets/check-es-running.md @@ -5,7 +5,7 @@ curl --cacert {{es-conf}}{{slash}}certs{{slash}}http_ca.crt {{escape}} <1> -u elastic:$ELASTIC_PASSWORD https://localhost:9200 <2> ``` 1. `--cacert`: Path to the generated `http_ca.crt` certificate for the HTTP layer. -2. Ensure that you use `https` in your call, or the request will fail. +2. Replace `$ELASTIC_PASSWORD` with the `elastic` superuser password. Ensure that you use `https` in your call, or the request will fail. diff --git a/deploy-manage/deploy/self-managed/_snippets/clean-up-multinode.md b/deploy-manage/deploy/self-managed/_snippets/clean-up-multinode.md new file mode 100644 index 0000000000..ebf2d77477 --- /dev/null +++ b/deploy-manage/deploy/self-managed/_snippets/clean-up-multinode.md @@ -0,0 +1,10 @@ +Perform the following steps on each node in the cluster: + +1. Open `elasticsearch.yml` in a text editor. +2. Comment out or remove the `cluster.initial_master_nodes` setting, if present. +3. Update the `discovery.seed_hosts` value so it contains the IP address and port of each of the master-eligible {{es}} nodes in the cluster. In the first node in the cluster, you need to add the `discovery.seed_hosts` setting manually. +4. Optionally, [restart the {{es}} service](/deploy-manage/maintenance/start-stop-services/start-stop-elasticsearch.md) to validate your configuration changes. + +If you don't perform these steps, then one or more nodes will fail the [discovery configuration bootstrap check](/deploy-manage/deploy/self-managed/bootstrap-checks.md#bootstrap-checks-discovery-configuration) when they are restarted. + +For more information, refer to [](/deploy-manage/distributed-architecture/discovery-cluster-formation.md). \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/cluster-formation-brief.md b/deploy-manage/deploy/self-managed/_snippets/cluster-formation-brief.md new file mode 100644 index 0000000000..6e6cd3e5d2 --- /dev/null +++ b/deploy-manage/deploy/self-managed/_snippets/cluster-formation-brief.md @@ -0,0 +1,7 @@ +When {{es}} starts for the first time, the security auto-configuration process binds the HTTP layer to `0.0.0.0`, but only binds the transport layer to `localhost`. This intended behavior ensures that you can start a single-node cluster with security enabled by default without any additional configuration. + +Before enrolling a new node, additional actions such as binding to an address other than `localhost` or satisfying bootstrap checks are typically necessary in production clusters. During that time, an auto-generated enrollment token could expire, which is why enrollment tokens aren’t generated automatically. + +Only nodes on the same host can join the cluster without additional configuration. If you want nodes from another host to join your cluster, you need make your instance reachable. + +For more information about the cluster formation process, refer to [](/deploy-manage/distributed-architecture/discovery-cluster-formation.md). \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/enroll-nodes.md b/deploy-manage/deploy/self-managed/_snippets/enroll-nodes.md index af7c847ae2..8280759eb8 100644 --- a/deploy-manage/deploy/self-managed/_snippets/enroll-nodes.md +++ b/deploy-manage/deploy/self-managed/_snippets/enroll-nodes.md @@ -1,12 +1,22 @@ -When {{es}} starts for the first time, the security auto-configuration process binds the HTTP layer to `0.0.0.0`, but only binds the transport layer to localhost. This intended behavior ensures that you can start a single-node cluster with security enabled by default without any additional configuration. +To enroll new nodes in your cluster, create an enrollment token with the [`elasticsearch-create-enrollment-token`](elasticsearch://reference/elasticsearch/command-line-tools/create-enrollment-token.md) tool on any existing node in your cluster. You can then start a new node with the `--enrollment-token` parameter so that it joins an existing cluster. -Before enrolling a new node, additional actions such as binding to an address other than `localhost` or satisfying bootstrap checks are typically necessary in production clusters. During that time, an auto-generated enrollment token could expire, which is why enrollment tokens aren’t generated automatically. +:::{tip} +Before you enroll your new node, make sure that it is able to access the first node in your cluster. You can test this by running a `curl` command to the first node. -Additionally, only nodes on the same host can join the cluster without additional configuration. If you want nodes from another host to join your cluster, you need to set `transport.host` to a [supported value](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#network-interface-values) (such as uncommenting the suggested value of `0.0.0.0`), or an IP address that’s bound to an interface where other hosts can reach it. Refer to [transport settings](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#transport-settings) for more information. +If you can't access the first node, then modify your network configuration before proceeding. +::: -To enroll new nodes in your cluster, create an enrollment token with the `elasticsearch-create-enrollment-token` tool on any existing node in your cluster. You can then start a new node with the `--enrollment-token` parameter so that it joins an existing cluster. +1. Using a text editor, update the `cluster.name` in `elasticsearch.yml` to match the other nodes in your cluster. + + :::{note} + If this value isn't updated and you attempt to join an existing cluster, then the connection will fail with the following error: -1. In a separate terminal from where {{es}} is running, navigate to the directory where you installed {{es}} and run the [`elasticsearch-create-enrollment-token`](elasticsearch://reference/elasticsearch/command-line-tools/create-enrollment-token.md) tool to generate an enrollment token for your new nodes. + ```text + handshake failed: remote cluster name [cluster-to-join] does not match local cluster name [current-cluster-name] + ``` + ::: + +2. In a separate terminal from where {{es}} is running, navigate to the directory where you installed {{es}} and run the `elasticsearch-create-enrollment-token` tool to generate an enrollment token for your new nodes. ```sh subs=true bin{{slash}}elasticsearch-create-enrollment-token -s node @@ -14,7 +24,9 @@ To enroll new nodes in your cluster, create an enrollment token with the `elasti Copy the enrollment token, which you’ll use to enroll new nodes with your {{es}} cluster. -2. From the installation directory of your new node, start {{es}} and pass the enrollment token with the `--enrollment-token` parameter. + An enrollment token has a lifespan of 30 minutes. You should create a new enrollment token for each new node that you add. + +3. From the installation directory of your new node, start {{es}} and pass the enrollment token with the `--enrollment-token` parameter. ```sh subs=true bin{{slash}}elasticsearch --enrollment-token @@ -26,6 +38,6 @@ To enroll new nodes in your cluster, create an enrollment token with the `elasti config{{slash}}certs ``` -3. Repeat the previous step for any new nodes that you want to enroll. +You can repeat these steps for each additional {{es}} node that you would like to add to the cluster. For more information about discovery and shard allocation, refer to [Discovery and cluster formation](/deploy-manage/distributed-architecture/discovery-cluster-formation.md) and [Cluster-level shard allocation and routing settings](elasticsearch://reference/elasticsearch/configuration-reference/cluster-level-shard-allocation-routing-settings.md). \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/enroll-systemd.md b/deploy-manage/deploy/self-managed/_snippets/enroll-systemd.md index 45ee07d243..d2437a4268 100644 --- a/deploy-manage/deploy/self-managed/_snippets/enroll-systemd.md +++ b/deploy-manage/deploy/self-managed/_snippets/enroll-systemd.md @@ -1,4 +1,4 @@ -1. Run the `status` command to get details about the {{{kib}}} service. +1. Run the `status` command to get details about the {{kib}} service. ```sh sudo systemctl status kibana diff --git a/deploy-manage/deploy/self-managed/_snippets/first-node.md b/deploy-manage/deploy/self-managed/_snippets/first-node.md new file mode 100644 index 0000000000..dcaa51ea90 --- /dev/null +++ b/deploy-manage/deploy/self-managed/_snippets/first-node.md @@ -0,0 +1,33 @@ +Update the {{es}} configuration on this first node so that other hosts are able to connect to it by editing the settings in [`elasticsearch.yml`](/deploy-manage/deploy/self-managed/configure-elasticsearch.md): + +1. Open `elasticsearch.yml` in a text editor. + +2. In a multi-node {{es}} cluster, all of the {{es}} instances need to have the same name. + + In the configuration file, uncomment the line `#cluster.name: my-application` and give the {{es}} instance any name that you’d like: + + ```yaml + cluster.name: elasticsearch-demo + ``` + +3. By default, {{es}} runs on `localhost`. For {{es}} instances on other nodes to be able to join the cluster, you need to set up {{es}} to run on a routable, external IP address. + + Uncomment the line `#network.host: 192.168.0.1` and replace the default address with `0.0.0.0`. The `0.0.0.0` setting enables {{es}} to listen for connections on all available network interfaces. In a production environment, you might want to [use a different value](elasticsearch:///reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings), such as a static IP address or a reference to a [network interface of the host](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#network-interface-values). + + ```yaml + network.host: 0.0.0.0 + ``` + +4. {{es}} needs to be enabled to listen for connections from other, external hosts. + + Uncomment the line `#transport.host: 0.0.0.0`. The `0.0.0.0` setting enables {{es}} to listen for connections on all available network interfaces. In a production environment you might want to [use a different value](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings), such as a static IP address or a reference to a [network interface of the host](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#network-interface-values). + + ```yaml + transport.host: 0.0.0.0 + ``` + + ::::{tip} + You can find details about the `network.host` and `transport.host` settings in the {{es}} [networking settings reference](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md). + :::: + +5. Save your changes and close the editor. \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/join-existing-cluster.md b/deploy-manage/deploy/self-managed/_snippets/join-existing-cluster.md index 9edb5fe2fb..0b0c01a95d 100644 --- a/deploy-manage/deploy/self-managed/_snippets/join-existing-cluster.md +++ b/deploy-manage/deploy/self-managed/_snippets/join-existing-cluster.md @@ -1,18 +1,55 @@ +% RPM and Debian only + When you install {{es}}, the installation process configures a single-node cluster by default. If you want a node to join an existing cluster instead, generate an enrollment token on an existing node *before* you start the new node for the first time. +:::{tip} +Before you enroll your new node, make sure that your new node is able to access the first node in your cluster. You can test this by running a `curl` command to the first node. + +If you can't access the first node, then modify your network configuration before proceeding. +::: + 1. On any node in your existing cluster, generate a node enrollment token: ```sh /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node ``` + An enrollment token has a lifespan of 30 minutes. You should create a new enrollment token for each new node that you add. + 2. Copy the enrollment token, which is output to your terminal. -3. On your new {{es}} node, pass the enrollment token as a parameter to the `elasticsearch-reconfigure-node` tool: +3. On your new {{es}} node, pass the enrollment token as a parameter to the [`elasticsearch-reconfigure-node`](elasticsearch://reference/elasticsearch/command-line-tools/reconfigure-node.md) tool: ```sh /usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token ``` - {{es}} is now configured to join the existing cluster. + Answer the `Do you want to continue` prompt with `yes` (`y`). The new {{es}} node will be reconfigured. + +4. Open the new Elasticsearch instance's `elasticsearch.yml` file in a text editor. + + The `elasticsearch-reconfigure-node` tool has updated several settings. For example: + + * The `transport.host: 0.0.0.0` setting is already uncommented. + * The `discovery_seed.hosts` setting has the IP address and port of the other {{es}} nodes added the cluster so far. As you add each new {{es}} node to the cluster, the `discovery_seed.hosts` setting will contain an array of the IP addresses and port numbers to connect to each {{es}} node that was previously added to the cluster. + +5. In the configuration file, uncomment the line `#cluster.name: my-application` and set it to match the name you specified for the first {{es}} node: + + ```yml + cluster.name: elasticsearch-demo + ``` + +6. As with the first {{es}} node, you’ll need to set up {{es}} to run on a routable, external IP address. + + Uncomment the line `#network.host: 192.168.0.1` and replace the default address with `0.0.0.0`. The `0.0.0.0` setting enables {{es}} to listen for connections on all available network interfaces. In a production environment, you might want to [use a different value](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings), such as a static IP address or a reference to a [network interface of the host](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#network-interface-values). + + ```yaml + network.host: 0.0.0.0 + ``` + +7. Save your changes and close the editor. + +You can repeat these steps for each additional {{es}} node that you would like to add to the cluster. -4. [Start your new node using `systemd`](#running-systemd). \ No newline at end of file +:::{warning} +If you're setting up a multi-node cluster, then as soon as you add a second node to your cluster, you need to [update your first node's config file](#update-config-files) or it won't be able to restart. +::: \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/kibana-ip.md b/deploy-manage/deploy/self-managed/_snippets/kibana-ip.md new file mode 100644 index 0000000000..788afcf1f0 --- /dev/null +++ b/deploy-manage/deploy/self-managed/_snippets/kibana-ip.md @@ -0,0 +1,11 @@ +The default host and port settings configure Kibana to run on localhost:5601. To change this behavior and allow remote users to connect, you need to set up {{kib}} to run on a routable, external IP address. You can do this by editing the settings in [`kibana.yml`](/deploy-manage/deploy/self-managed/configure-kibana.md): + +1. Open `kibana.yml` in a text editor. + +2. Uncomment the line `#server.host: localhost` and replace the default address with `0.0.0.0`. The `0.0.0.0` setting enables {{kib}} to listen for connections on all available network interfaces. In a production environment, you might want to [use a different value](kibana://reference/configuration-reference/general-settings.md#server-host), such as a static IP address. + + ```yaml + server.host: 0.0.0.0 + ``` + +3. Save your changes and close the editor. diff --git a/deploy-manage/deploy/self-managed/_snippets/node-connectivity.md b/deploy-manage/deploy/self-managed/_snippets/node-connectivity.md new file mode 100644 index 0000000000..a7eba3cbd6 --- /dev/null +++ b/deploy-manage/deploy/self-managed/_snippets/node-connectivity.md @@ -0,0 +1,15 @@ +% RPM and Debian only + +When {{es}} starts for the first time, the security auto-configuration process binds the HTTP layer to `0.0.0.0`, but only binds the transport layer to `localhost`. This intended behavior ensures that you can start a single-node cluster with security enabled by default without any additional configuration. + +Before enrolling a new node, additional actions such as binding to an address other than `localhost` or satisfying bootstrap checks are typically necessary in production clusters. During that time, an auto-generated enrollment token could expire, which is why enrollment tokens aren’t generated automatically. + +Only nodes on the same host can join the cluster without additional configuration. If you want nodes from another host to join your cluster, you need make your instance reachable. + +* If you're installing the first node in a multi-node cluster across multiple hosts, then you need to [configure the node so that other hosts are able to connect to it](#first-node). + +* If you're installing additional nodes for a cluster, then you need to [generate an enrollment token and then reconfigure the new node to join an existing cluster](#existing-cluster). + +If you're running a single-node cluster, then skip to the next step. + +For more information about the cluster formation process, refer to [](/deploy-manage/distributed-architecture/discovery-cluster-formation.md). \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/ports.md b/deploy-manage/deploy/self-managed/_snippets/ports.md new file mode 100644 index 0000000000..5519dd5719 --- /dev/null +++ b/deploy-manage/deploy/self-managed/_snippets/ports.md @@ -0,0 +1,13 @@ +This table shows the ports that must be accessible in order to operate an {{es}} cluster. The {{es}} REST and {{kib}} interfaces must be open to external users in order for the cluster to be usable. The transport API must be accessible between {{es}} nodes in the cluster, and to any external clients using the transport API. + +By default, {{es}} will try to listen to the first port in the specified range. If the port is taken, it will try the next one. + +These settings can be overridden in the relevant configuration file. + +| Port | Access type | Purpose | Setting | +| --- | --- | --- | --- | +| 9200 and onwards | HTTP (REST) | REST API for Elasticsearch. This is the primary interface used for access to the cluster from external sources, including {{kib}} and {{ls}}. | Elasticsearch [`http.port`](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings) | +| 9300 and onwards | TCP | Transport API. Used for intra-cluster communications and client access via the transport API (Java client). | Elasticsearch [`transport.port`](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md#common-network-settings) | +| 5601 | HTTP | {{kib}} default access port. | Kibana [`server.port`](kibana://reference/configuration-reference/general-settings.md#server-port) | + +Additional ports might be required for [optional {{stack}} components](/get-started/the-stack.md). Refer to the installation guide for the component that you want to install. \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/prereqs.md b/deploy-manage/deploy/self-managed/_snippets/prereqs.md index 8a5188ef5b..799cba93af 100644 --- a/deploy-manage/deploy/self-managed/_snippets/prereqs.md +++ b/deploy-manage/deploy/self-managed/_snippets/prereqs.md @@ -1,4 +1,6 @@ Before you install {{es}}, do the following: -* Review the [supported operating systems](https://www.elastic.co/support/matrix). {{es}} is tested on the listed platforms, but it is possible that it will work on other platforms too. +* Review the [supported operating systems](https://www.elastic.co/support/matrix) and prepare virtual or physical hosts where you can install {{es}}. + + {{es}} is tested on the listed platforms, but it is possible that it will work on other platforms too. * Configure your operating system using the [](/deploy-manage/deploy/self-managed/important-system-configuration.md) guidelines. \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/_snippets/pw-env-var.md b/deploy-manage/deploy/self-managed/_snippets/pw-env-var.md index b12f7e3336..1334fe85e7 100644 --- a/deploy-manage/deploy/self-managed/_snippets/pw-env-var.md +++ b/deploy-manage/deploy/self-managed/_snippets/pw-env-var.md @@ -1,5 +1,3 @@ -The password for the `elastic` user and the enrollment token for {{kib}} are output to your terminal. - We recommend storing the `elastic` password as an environment variable in your shell. For example: ```sh subs=true diff --git a/deploy-manage/deploy/self-managed/_snippets/reset-superuser-rpm-deb.md b/deploy-manage/deploy/self-managed/_snippets/reset-superuser-rpm-deb.md new file mode 100644 index 0000000000..3167452800 --- /dev/null +++ b/deploy-manage/deploy/self-managed/_snippets/reset-superuser-rpm-deb.md @@ -0,0 +1,5 @@ +Because {{es}} runs with `systemd` and not in a terminal, the `elastic` superuser password is not output when {{es}} starts for the first time. Use the [`elasticsearch-reset-password`](elasticsearch://reference/elasticsearch/command-line-tools/reset-password.md) tool tool to set the password for the user. This only needs to be done once for the cluster, and can be done as soon as the first node is started. + +```shell +bin/elasticsearch-reset-password -u elastic +``` \ No newline at end of file diff --git a/deploy-manage/deploy/self-managed/configure-kibana.md b/deploy-manage/deploy/self-managed/configure-kibana.md index 6db4eaa4f2..2371aa3ee7 100644 --- a/deploy-manage/deploy/self-managed/configure-kibana.md +++ b/deploy-manage/deploy/self-managed/configure-kibana.md @@ -29,7 +29,7 @@ Environment variables can be injected into configuration using `${MY_ENV_VAR}` s ## Available settings -For a complete list of settings that you can apply to {{kib}}, refer to [{{kib}} configuration reference](kibana:///reference/configuration-reference.md). +For a complete list of settings that you can apply to {{kib}}, refer to [{{kib}} configuration reference](kibana://reference/configuration-reference.md). ## Additional topics diff --git a/deploy-manage/deploy/self-managed/install-elasticsearch-from-archive-on-linux-macos.md b/deploy-manage/deploy/self-managed/install-elasticsearch-from-archive-on-linux-macos.md index e8ac231892..9e6e9b3db0 100644 --- a/deploy-manage/deploy/self-managed/install-elasticsearch-from-archive-on-linux-macos.md +++ b/deploy-manage/deploy/self-managed/install-elasticsearch-from-archive-on-linux-macos.md @@ -26,6 +26,10 @@ applies_to: :::{include} _snippets/java-version.md ::: +:::{tip} +Elastic recommends that you run the commands in this guide using a normal user account, and avoid running the commands as `root`. +::: + ## Before you start :::{include} _snippets/prereqs.md @@ -85,14 +89,35 @@ Alternatively, you can add a security override by following the instructions in :::{include} _snippets/enable-auto-indices.md ::: -## Step 3: Start {{es}} [targz-running] + +## Step 3: Set up the node for connectivity + +:::{include} _snippets/cluster-formation-brief.md +::: + +* If you're installing the first node in a multi-node cluster across multiple hosts, then you need to [configure the node so that other hosts are able to connect to it](#first-node). + +* If you're installing additional nodes for a cluster, then you need to [generate an enrollment token and pass it when starting {{es}} for the first time](#existing-cluster). + +### Set up a node as the first node in a multi-host cluster [first-node] + +:::{include} _snippets/first-node.md +::: + +### Enroll the node in an existing cluster [existing-cluster] + +:::{include} _snippets/enroll-nodes.md +::: + +## Step 4: Start {{es}} [targz-running] You have several options for starting {{es}}: * [Run from the command line](#command-line) -* [Run the node to be enrolled in an existing cluster](#existing-cluster) * [Run as a daemon](#setup-installation-daemon) +If you're starting a node that will be enrolled in an existing cluster, refer to [Enroll the node in an existing cluster](#existing-cluster). + ### Run {{es}} from the command line [command-line] :::{include} _snippets/targz-start.md @@ -103,6 +128,8 @@ You have several options for starting {{es}}: :::{include} _snippets/auto-security-config.md ::: +The password for the `elastic` user and the enrollment token for {{kib}} are output to your terminal. + :::{include} _snippets/pw-env-var.md ::: @@ -111,11 +138,6 @@ You have several options for starting {{es}}: :::{include} _snippets/cmd-line-config.md ::: -### Enroll the node in an existing cluster [existing-cluster] - -:::{include} _snippets/enroll-nodes.md -::: - ### Run as a daemon [setup-installation-daemon] :::{include} _snippets/targz-daemon.md @@ -126,6 +148,17 @@ You have several options for starting {{es}}: :::{include} _snippets/check-es-running.md ::: +## Step 5 (Multi-node clusters only): Update the config files [update-config-files] + +If you are deploying a multi-node cluster, then the enrollment process adds all existing nodes to each newly enrolled node's `discovery.seed_hosts` setting. However, you need to go back to all of the nodes in the cluster and edit them so each node in the cluster can restart and rejoin the cluster as expected. + +:::{note} +Because the initial node in the cluster is bootstrapped as a single-node cluster, it won't have `discovery.seed_hosts` configured. This setting is mandatory for multi-node clusters and must be added manually to the first node. +::: + +:::{include} _snippets/clean-up-multinode.md +::: + ## Connect clients to {{es}} [connect_clients_to_es] :::{include} _snippets/connect-clients.md @@ -158,11 +191,6 @@ This is convenient because you don’t have to create any directories to start u | plugins | Plugin files location. Each plugin will be contained in a subdirectory. | `$ES_HOME/plugins` | | | repo | Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here. | Not configured | [`path.repo`](/deploy-manage/tools/snapshot-and-restore/shared-file-system-repository.md) | -### Security certificates and keys [stack-security-certificates] - -:::{include} _snippets/security-files.md -::: - ## Next steps [next_steps] :::{include} _snippets/install-next-steps.md diff --git a/deploy-manage/deploy/self-managed/install-elasticsearch-with-debian-package.md b/deploy-manage/deploy/self-managed/install-elasticsearch-with-debian-package.md index cc141d1359..14c152c1a9 100644 --- a/deploy-manage/deploy/self-managed/install-elasticsearch-with-debian-package.md +++ b/deploy-manage/deploy/self-managed/install-elasticsearch-with-debian-package.md @@ -107,7 +107,17 @@ sudo dpkg -i elasticsearch-{{stack-version}}-amd64.deb 1. Compares the SHA of the downloaded Debian package and the published checksum, which should output `elasticsearch--amd64.deb: OK`. -## Step 3 (Optional): Reconfigure a node to join an existing cluster [_reconfigure_a_node_to_join_an_existing_cluster] +## Step 3: Set up the node for connectivity + +:::{include} _snippets/node-connectivity.md +::: + +### Set up a node as the first node in a cluster [first-node] + +:::{include} _snippets/first-node.md +::: + +### Reconfigure a node to join an existing cluster [existing-cluster] :::{include} _snippets/join-existing-cluster.md ::: @@ -135,17 +145,33 @@ sudo dpkg -i elasticsearch-{{stack-version}}-amd64.deb ### Security at startup [deb-security-configuration] -:::{include} _snippets/auto-security-config.md +:::{include} _snippets/auto-security-config-rpm-deb.md +::: + +## Step 6: Reset the `elastic` superuser password + +:::{include} _snippets/reset-superuser-rpm-deb.md ::: :::{include} _snippets/pw-env-var.md ::: -## Step 6: Check that {{es}} is running [deb-check-running] +## Step 7: Check that {{es}} is running [deb-check-running] :::{include} _snippets/check-es-running.md ::: +## Step 8 (Multi-node clusters only): Update the config files [update-config-files] + +If you are deploying a multi-node cluster, then the `elasticsearch-reconfigure-node` tool adds all existing nodes to each newly enrolled node's `discovery.seed_hosts` setting. However, you need to go back to all of the nodes in the cluster and edit them so each node in the cluster can restart and rejoin the cluster as expected. + +:::{note} +Because the initial node in the cluster is bootstrapped as a single-node cluster, it won't have `discovery.seed_hosts` configured. This setting is mandatory for multi-node clusters and must be added manually to the first node. +::: + +:::{include} _snippets/clean-up-multinode.md +::: + ## Configuring {{es}} [deb-configuring] :::{include} _snippets/etc-elasticsearch.md @@ -183,11 +209,6 @@ The Debian package places config files, logs, and the data directory in the appr | plugins | Plugin files location. Each plugin will be contained in a subdirectory. | `/usr/share/elasticsearch/plugins` | | | repo | Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here. | Not configured | [`path.repo`](/deploy-manage/tools/snapshot-and-restore/shared-file-system-repository.md) | -### Security certificates and keys [stack-security-certificates] - -:::{include} _snippets/security-files.md -::: - ## Next steps [_next_steps] :::{include} _snippets/install-next-steps.md diff --git a/deploy-manage/deploy/self-managed/install-elasticsearch-with-rpm.md b/deploy-manage/deploy/self-managed/install-elasticsearch-with-rpm.md index 4c530cb5da..98f71a26df 100644 --- a/deploy-manage/deploy/self-managed/install-elasticsearch-with-rpm.md +++ b/deploy-manage/deploy/self-managed/install-elasticsearch-with-rpm.md @@ -6,7 +6,7 @@ sub: slash: "/" distro: "RPM" export: "export" - escape: "\\" +escape: "\\" navigation_title: "Install with RPM package" applies_to: deployment: @@ -81,25 +81,36 @@ sudo zypper modifyrepo --enable elasticsearch && \ ### Download and install the RPM manually [install-rpm] -The RPM for {{es}} {{stack-version}} can be downloaded from the website and installed as follows: +1. Download and install the RPM for {{es}} {{stack-version}} with the following commands: -```sh subs=true -wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-{{stack-version}}-x86_64.rpm -wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-{{stack-version}}-x86_64.rpm.sha512 -shasum -a 512 -c elasticsearch-{{stack-version}}-x86_64.rpm.sha512 <1> -sudo rpm --install elasticsearch-{{stack-version}}-x86_64.rpm -``` + ```sh subs=true + wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-{{stack-version}}-x86_64.rpm + wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-{{stack-version}}-x86_64.rpm.sha512 + shasum -a 512 -c elasticsearch-{{stack-version}}-x86_64.rpm.sha512 <1> + sudo rpm --install elasticsearch-{{stack-version}}-x86_64.rpm + ``` + + 1. Compares the SHA of the downloaded RPM and the published checksum, which should output `elasticsearch--x86_64.rpm: OK`. + + :::{include} _snippets/skip-set-kernel-params.md + ::: -1. Compares the SHA of the downloaded RPM and the published checksum, which should output `elasticsearch--x86_64.rpm: OK`. +2. Copy the terminal output from the install command to a local file. In particular, you’ll need the password for the built-in `elastic` superuser account. The output also contains the commands to enable {{es}} to [run as a service](#running-systemd). -:::{include} _snippets/skip-set-kernel-params.md +## Step 3: Set up the node for connectivity + +:::{include} _snippets/node-connectivity.md ::: -### Step 3 (Optional): Reconfigure a node to join an existing cluster [_reconfigure_a_node_to_join_an_existing_cluster_2] +### Set up a node as the first node in a cluster [first-node] -:::{include} _snippets/join-existing-cluster.md +:::{include} _snippets/first-node.md ::: +### Reconfigure a node to join an existing cluster [existing-cluster] + +:::{include} _snippets/join-existing-cluster.md +::: ## Step 4: Enable automatic creation of system indices [rpm-enable-indices] @@ -126,17 +137,33 @@ sudo rpm --install elasticsearch-{{stack-version}}-x86_64.rpm ### Security at startup [deb-security-configuration] -:::{include} _snippets/auto-security-config.md +:::{include} _snippets/auto-security-config-rpm-deb.md +::: + +## Step 6: Reset the `elastic` superuser password + +:::{include} _snippets/reset-superuser-rpm-deb.md ::: :::{include} _snippets/pw-env-var.md ::: -## Step 6: Check that {{es}} is running [rpm-check-running] +## Step 7: Check that {{es}} is running [rpm-check-running] :::{include} _snippets/check-es-running.md ::: +## Step 8 (Multi-node clusters only): Update the config files [update-config-files] + +If you are deploying a multi-node cluster, then the `elasticsearch-reconfigure-node` tool adds all existing nodes to each newly enrolled node's `discovery.seed_hosts` setting. However, you need to go back to all of the nodes in the cluster and edit them so each node in the cluster can restart and rejoin the cluster as expected. + +:::{note} +Because the initial node in the cluster is bootstrapped as a single-node cluster, it won't have `discovery.seed_hosts` configured. This setting is mandatory for multi-node clusters and must be added manually to the first node. +::: + +:::{include} _snippets/clean-up-multinode.md +::: + ## Configuring {{es}} [rpm-configuring] :::{include} _snippets/etc-elasticsearch.md @@ -174,11 +201,6 @@ The RPM places config files, logs, and the data directory in the appropriate loc | plugins | Plugin files location. Each plugin will be contained in a subdirectory. | `/usr/share/elasticsearch/plugins` | | | repo | Shared file system repository locations. Can hold multiple locations. A file system repository can be placed in to any subdirectory of any directory specified here. | Not configured | [`path.repo`](/deploy-manage/tools/snapshot-and-restore/shared-file-system-repository.md) | -### Security certificates and keys [stack-security-certificates] - -:::{include} _snippets/security-files.md -::: - ## Next steps [_next_steps] :::{include} _snippets/install-next-steps.md diff --git a/deploy-manage/deploy/self-managed/install-elasticsearch-with-zip-on-windows.md b/deploy-manage/deploy/self-managed/install-elasticsearch-with-zip-on-windows.md index 0aa9410735..1989855c74 100644 --- a/deploy-manage/deploy/self-managed/install-elasticsearch-with-zip-on-windows.md +++ b/deploy-manage/deploy/self-managed/install-elasticsearch-with-zip-on-windows.md @@ -7,6 +7,8 @@ sub: export: "$" escape: "^" auto: ".bat" + ipcommand: "ipconfig /all" + ipvalue: "inet" navigation_title: Install on Windows applies_to: deployment: @@ -51,15 +53,33 @@ cd C:\Program Files\elasticsearch-{{stack-version}} :::{include} _snippets/enable-auto-indices.md ::: -## Step 3: Run {{es}} +## Step 3: Set up the node for connectivity + +:::{include} _snippets/cluster-formation-brief.md +::: + +* If you're installing the first node in a multi-node cluster across multiple hosts, then you need to [configure the node so that other hosts are able to connect to it](#first-node). + +* If you're installing additional nodes for a cluster, then you need to [generate an enrollment token and pass it when starting {{es}} for the first time](#existing-cluster). + +### Set up a node as the first node in a multi-host cluster [first-node] + +:::{include} _snippets/first-node.md +::: + +### Enroll the node in an existing cluster [existing-cluster] + +:::{include} _snippets/enroll-nodes.md +::: + +## Step 4: Run {{es}} You have several options for starting {{es}}: * [Run from the command line](#command-line) -* [Run the node to be enrolled in an existing cluster](#existing-cluster) * [Install and run as a service](#windows-service) -You can run {{es}} [from the command line](#command-line), or install and run {{es}} [as a service](#windows-service). +If you're starting a node that will be enrolled in an existing cluster, refer to [Enroll the node in an existing cluster](#existing-cluster). ### Run {{es}} from the command line [command-line] @@ -71,6 +91,8 @@ You can run {{es}} [from the command line](#command-line), or install and run {{ :::{include} _snippets/auto-security-config.md ::: +The password for the `elastic` user and the enrollment token for {{kib}} are output to your terminal. + :::{include} _snippets/pw-env-var.md ::: @@ -79,11 +101,6 @@ You can run {{es}} [from the command line](#command-line), or install and run {{ :::{include} _snippets/cmd-line-config.md ::: -### Enroll the node in an existing cluster [existing-cluster] - -:::{include} _snippets/enroll-nodes.md -::: - ### Install and run {{es}} as a service on Windows [windows-service] You can install {{es}} as a service that runs in the background or starts automatically at boot time without user interaction. @@ -92,6 +109,10 @@ You can install {{es}} as a service that runs in the background or starts automa ```sh subs=true C:\Program Files\elasticsearch-{{stack-version}}\bin>elasticsearch-service.bat install + ``` + + Response: + ``` Installing service : "elasticsearch-service-x64" Using ES_JAVA_HOME (64-bit): "C:\jvm\jdk1.8" The service 'elasticsearch-service-x64' has been installed. @@ -194,11 +215,22 @@ Most changes (like JVM settings) made through the manager GUI will require a res * The system environment variable `ES_JAVA_HOME` should be set to the path of the JDK installation that you want the service to use. If you upgrade the JDK, you are not required to the reinstall the service, but you must set the value of the system environment variable `ES_JAVA_HOME` to the path to the new JDK installation. Upgrading across JVM types (e.g. JRE versus SE) is not supported, and requires the service to be reinstalled. -## Step 4: Check that {{es}} is running [_check_that_elasticsearch_is_running_2] +## Step 5: Check that {{es}} is running [_check_that_elasticsearch_is_running_2] :::{include} _snippets/check-es-running.md ::: +## Step 6 (Multi-node clusters only): Update the config files [update-config-files] + +If you are deploying a multi-node cluster, then the enrollment process adds all existing nodes to each newly enrolled node's `discovery.seed_hosts` setting. However, you need to go back to all of the nodes in the cluster and edit them so each node in the cluster can restart and rejoin the cluster as expected. + +:::{note} +Because the initial node in the cluster is bootstrapped as a single-node cluster, it won't have `discovery.seed_hosts` configured. This setting is mandatory for multi-node clusters and must be added manually to the first node. +::: + +:::{include} _snippets/clean-up-multinode.md +::: + ## Connect clients to {{es}} [_connect_clients_to_es_4] :::{include} _snippets/connect-clients.md diff --git a/deploy-manage/deploy/self-managed/install-kibana-from-archive-on-linux-macos.md b/deploy-manage/deploy/self-managed/install-kibana-from-archive-on-linux-macos.md index 1583078527..79667e9122 100644 --- a/deploy-manage/deploy/self-managed/install-kibana-from-archive-on-linux-macos.md +++ b/deploy-manage/deploy/self-managed/install-kibana-from-archive-on-linux-macos.md @@ -2,6 +2,8 @@ navigation_title: "Install from archive on Linux or macOS" mapped_pages: - https://www.elastic.co/guide/en/kibana/current/targz.html +sub: + ipcommand: "ifconfig" navigation_title: "Linux and MacOS" applies_to: deployment: @@ -39,7 +41,7 @@ cd kibana-{{stack-version}}/ <2> 1. Compares the SHA of the downloaded `.tar.gz` archive and the published checksum, which should output `kibana--linux-x86_64.tar.gz: OK`. 2. This directory is known as `$KIBANA_HOME`. -## MacOS [install-darwin64] +### MacOS [install-darwin64] The Darwin archive for {{kib}} {{stack-version}} can be downloaded and installed as follows: @@ -79,7 +81,12 @@ Alternatively, you can add a security override if a Gatekeeper popup appears by :::{include} _snippets/new-enrollment-token.md ::: -## Step 3: Run {{kib}} from the command line [targz-running] +## Step 3 (Optional): Make {{kib}} externally accessible + +:::{include} _snippets/kibana-ip.md +::: + +## Step 4: Run {{kib}} from the command line [targz-running] {{kib}} can be started from the command line as follows: @@ -91,7 +98,7 @@ By default, {{kib}} runs in the foreground, prints its logs to the standard outp :::{include} _snippets/enroll-steps.md ::: -## Step 4: Configure {{kib}} using the config file [targz-configuring] +## Configure {{kib}} using the config file [targz-configuring] {{kib}} loads its configuration from the `$KIBANA_HOME/config/kibana.yml` file by default. The format of this config file is explained in [](configure-kibana.md). diff --git a/deploy-manage/deploy/self-managed/install-kibana-on-windows.md b/deploy-manage/deploy/self-managed/install-kibana-on-windows.md index ca24686f5b..31a5aed2f3 100644 --- a/deploy-manage/deploy/self-managed/install-kibana-on-windows.md +++ b/deploy-manage/deploy/self-managed/install-kibana-on-windows.md @@ -38,7 +38,12 @@ CD c:\kibana-{{stack-version}}-windows-x86_64 :::{include} _snippets/new-enrollment-token.md ::: -## Step 3: Run {{kib}} from the command line [windows-running] +## Step 3 (Optional): Make {{kib}} externally accessible + +:::{include} _snippets/kibana-ip.md +::: + +## Step 4: Run {{kib}} from the command line [windows-running] {{kib}} can be started from the command line as follows: diff --git a/deploy-manage/deploy/self-managed/install-kibana-with-debian-package.md b/deploy-manage/deploy/self-managed/install-kibana-with-debian-package.md index 7b7cf2c15d..30bbc3955c 100644 --- a/deploy-manage/deploy/self-managed/install-kibana-with-debian-package.md +++ b/deploy-manage/deploy/self-managed/install-kibana-with-debian-package.md @@ -102,7 +102,12 @@ sudo dpkg -i kibana-{{stack-version}}-amd64.deb :::{include} _snippets/new-enrollment-token.md ::: -## Step 4: Run {{kib}} with `systemd` [deb-running-systemd] +## Step 4 (Optional): Make {{kib}} externally accessible + +:::{include} _snippets/kibana-ip.md +::: + +## Step 5: Run {{kib}} with `systemd` [deb-running-systemd] To configure {{kib}} to start automatically when the system starts, run the following commands: @@ -121,12 +126,12 @@ sudo systemctl stop kibana.service These commands provide no feedback as to whether {{kib}} was started successfully or not. Log information can be accessed using `journalctl -u kibana.service`. -## Step 5: Enroll {{kib}} with {{es}} +## Step 6: Enroll {{kib}} with {{es}} :::{include} _snippets/enroll-systemd.md ::: -## Step 6: Configure {{kib}} using the config file [deb-configuring] +## Step 7: Configure {{kib}} using the config file [deb-configuring] {{kib}} loads its configuration from the `/etc/kibana/kibana.yml` file by default. The format of this config file is explained in [](configure-kibana.md). diff --git a/deploy-manage/deploy/self-managed/install-kibana-with-docker.md b/deploy-manage/deploy/self-managed/install-kibana-with-docker.md index 406fb657b1..0510f40fcc 100644 --- a/deploy-manage/deploy/self-managed/install-kibana-with-docker.md +++ b/deploy-manage/deploy/self-managed/install-kibana-with-docker.md @@ -229,7 +229,7 @@ The following settings have different default values when using the Docker image `monitoring.ui.container.elasticsearch.enabled` : `true` -These settings are defined in the default `kibana.yml`. They can be overridden with a [custom `kibana.yml`](#bind-mount-config) or via [environment variables](#environment-variable-config). +These settings are defined in the default `kibana.yml`. They can be overridden with a [custom `kibana.yml`](#bind-mount-config) or using [environment variables](#environment-variable-config). ::::{important} If replacing `kibana.yml` with a custom version, be sure to copy the defaults to the custom file if you want to retain them. If not, they will be "masked" by the new file. diff --git a/deploy-manage/deploy/self-managed/install-kibana-with-rpm.md b/deploy-manage/deploy/self-managed/install-kibana-with-rpm.md index f9a530ee2e..3beec4b484 100644 --- a/deploy-manage/deploy/self-managed/install-kibana-with-rpm.md +++ b/deploy-manage/deploy/self-managed/install-kibana-with-rpm.md @@ -91,7 +91,13 @@ sudo rpm --install kibana-{{stack-version}}-x86_64.rpm :::{include} _snippets/new-enrollment-token.md ::: -## Step 4: Run {{kib}} with `systemd` [rpm-running-systemd] +## Step 4 (Optional): Make {{kib}} externally accessible + +:::{include} _snippets/kibana-ip.md +::: + + +## Step 5: Run {{kib}} with `systemd` [rpm-running-systemd] To configure {{kib}} to start automatically when the system starts, run the following commands: @@ -110,12 +116,12 @@ sudo systemctl stop kibana.service These commands provide no feedback as to whether {{kib}} was started successfully or not. Log information can be accessed using `journalctl -u kibana.service`. -## Step 5: Enroll {{kib}} with {{es}} +## Step 6: Enroll {{kib}} with {{es}} :::{include} _snippets/enroll-systemd.md ::: -## Step 6: Configure {{kib}} using the config file [rpm-configuring] +## Step 7: Configure {{kib}} using the config file [rpm-configuring] {{kib}} loads its configuration from the `/etc/kibana/kibana.yml` file by default. The format of this config file is explained in [](configure-kibana.md). diff --git a/deploy-manage/deploy/self-managed/install-kibana.md b/deploy-manage/deploy/self-managed/install-kibana.md index ac323e672d..c076159230 100644 --- a/deploy-manage/deploy/self-managed/install-kibana.md +++ b/deploy-manage/deploy/self-managed/install-kibana.md @@ -54,6 +54,11 @@ Running different patch version releases of {{kib}} and {{es}} (e.g. {{kib}} 9.0 :::{include} /deploy-manage/deploy/_snippets/installation-order.md ::: +## Default ports + +:::{include} _snippets/ports.md +::: + ## Third-party dependencies :::{include} /deploy-manage/deploy/self-managed/_snippets/third-party-dependencies.md diff --git a/deploy-manage/deploy/self-managed/installing-elasticsearch.md b/deploy-manage/deploy/self-managed/installing-elasticsearch.md index 993f14420e..09c35949d3 100644 --- a/deploy-manage/deploy/self-managed/installing-elasticsearch.md +++ b/deploy-manage/deploy/self-managed/installing-elasticsearch.md @@ -52,6 +52,8 @@ Each linked guide provides the following details: * Archive or package contents information * Security certificate and key information +Special considerations such as firewalls and proxy servers are not covered. + Before you start, make sure that you [configure your system](/deploy-manage/deploy/self-managed/important-system-configuration.md). | Format | Description | Instructions | @@ -79,6 +81,11 @@ You can [use Docker Compose](/deploy-manage/deploy/self-managed/install-elastics :::{include} /deploy-manage/deploy/_snippets/installation-order.md ::: +## Required ports + +:::{include} _snippets/ports.md +::: + ## Supported operating systems and JVMs [supported-platforms] The matrix of officially supported operating systems and JVMs is available in the [Elastic Support Matrix](https://elastic.co/support/matrix). {{es}} is tested on the listed platforms, but it is possible that it will work on other platforms too. diff --git a/deploy-manage/maintenance/add-and-remove-elasticsearch-nodes.md b/deploy-manage/maintenance/add-and-remove-elasticsearch-nodes.md index 8d458aefec..104c88a271 100644 --- a/deploy-manage/maintenance/add-and-remove-elasticsearch-nodes.md +++ b/deploy-manage/maintenance/add-and-remove-elasticsearch-nodes.md @@ -4,6 +4,8 @@ mapped_pages: applies_to: deployment: self: +sub: + slash: "\\" --- # Add and Remove Elasticsearch nodes [add-elasticsearch-nodes] @@ -38,14 +40,13 @@ Refer to the following pages to learn more about how to add nodes to your cluste You can enroll additional nodes on your local machine to experiment with how an {{es}} cluster with multiple nodes behaves. -::::{note} -To add a node to a cluster running on multiple machines, you must also set [`discovery.seed_hosts`](../deploy/self-managed/important-settings-configuration.md#unicast.hosts) so that the new node can discover the rest of its cluster. - -:::: - :::{include} /deploy-manage/deploy/self-managed/_snippets/enroll-nodes.md ::: +:::{tip} +If you installed your new {{es}} node using an [RPM](/deploy-manage/deploy/self-managed/install-elasticsearch-with-rpm.md#existing-cluster) or [Debian](/deploy-manage/deploy/self-managed/install-elasticsearch-with-debian-package.md#existing-cluster) package, then you can pass your enrollment token to the [`elasticsearch-reconfigure-node`](elasticsearch://reference/elasticsearch/command-line-tools/reconfigure-node.md) tool to simplify the configuration process. +::: + ## Master-eligible nodes [add-elasticsearch-nodes-master-eligible] As nodes are added or removed Elasticsearch maintains an optimal level of fault tolerance by automatically updating the cluster’s *voting configuration*, which is the set of [master-eligible nodes](../distributed-architecture/clusters-nodes-shards/node-roles.md#master-node-role) whose responses are counted when making decisions such as electing a new master or committing a new cluster state. diff --git a/deploy-manage/security/kibana-es-mutual-tls.md b/deploy-manage/security/kibana-es-mutual-tls.md index f829493bf4..24f9fb7438 100644 --- a/deploy-manage/security/kibana-es-mutual-tls.md +++ b/deploy-manage/security/kibana-es-mutual-tls.md @@ -17,7 +17,7 @@ In a standard TLS configuration, the server presents a signed certificate to aut {{es}} {{security-features}} are enabled on your cluster by default, so each request that {{kib}} (the client) makes to {{es}} (the server) is authenticated. Most requests made by end users through {{kib}} to {{es}} are authenticated by using the credentials of the logged-in user. -To [enroll {{kib}} with an {{es}} cluster](/deploy-manage/security/self-auto-setup.md#stack-start-with-security), you pass a generated enrollment token. This token configures {{kib}} to authenticate with {{es}} using a [service account token](/deploy-manage/users-roles/cluster-or-deployment-auth/service-accounts.md#service-accounts-tokens). {{kib}} also supports mutual TLS authentication with {{es}} via a [Public Key Infrastructure (PKI) realm](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md). With this setup, {{es}} needs to verify the signature on the {{kib}} client certificate, and it also needs to map the client certificate’s distinguished name (DN) to the appropriate `kibana_system` role. +To enroll {{kib}} with an {{es}} cluster, you pass a generated enrollment token. This token configures {{kib}} to authenticate with {{es}} using a [service account token](/deploy-manage/users-roles/cluster-or-deployment-auth/service-accounts.md#service-accounts-tokens). {{kib}} also supports mutual TLS authentication with {{es}} via a [Public Key Infrastructure (PKI) realm](/deploy-manage/users-roles/cluster-or-deployment-auth/pki.md). With this setup, {{es}} needs to verify the signature on the {{kib}} client certificate, and it also needs to map the client certificate’s distinguished name (DN) to the appropriate `kibana_system` role. ::::{note} Using a PKI realm is a [subscription feature](https://www.elastic.co/subscriptions). @@ -25,7 +25,7 @@ Using a PKI realm is a [subscription feature](https://www.elastic.co/subscriptio ## Configure {{kib}} and {{es}} to use mutual TLS authentication [_configure_kib_and_es_to_use_mutual_tls_authentication] -If you haven’t already, start {{kib}} and connect it to {{es}} using the [enrollment token](/deploy-manage/security/self-auto-setup.md#stack-start-with-security). +If you haven’t already, start {{kib}} and connect it to {{es}} using the [enrollment token](/deploy-manage/security/self-auto-setup.md). For detailed instructions, see the [installation guide](/deploy-manage/deploy/self-managed/install-kibana.md#install) for your preferred installation method. 1. Obtain a client certificate and private key for {{kib}}. diff --git a/deploy-manage/security/self-auto-setup.md b/deploy-manage/security/self-auto-setup.md index aae7064a55..039c66fb14 100644 --- a/deploy-manage/security/self-auto-setup.md +++ b/deploy-manage/security/self-auto-setup.md @@ -17,96 +17,14 @@ mapped_pages: :::{include} /deploy-manage/deploy/self-managed/_snippets/auto-security-config.md ::: -## Prerequisites [_prerequisites_12] - -* [Download](https://www.elastic.co/downloads/elasticsearch) and unpack the `elasticsearch` package distribution for your environment. -* [Download](https://www.elastic.co/downloads/kibana) and unpack the `kibana` package distribution for your environment. - -::::{note} -This guide assumes a `.tar.gz` installation of {{es}} and {{kib}} on Linux. -For instructions tailored to other installation packages (such as DEB, RPM, Docker, or macOS), refer to the [{{es}}](/deploy-manage/deploy/self-managed/installing-elasticsearch.md#elasticsearch-install-packages) and [{{kib}}](/deploy-manage/deploy/self-managed/install-kibana.md#install) installation guides. -:::: - -## Start {{es}} and enroll {{kib}} with security enabled [stack-start-with-security] - -1. From the installation directory, start {{es}}. - - ```shell - bin/elasticsearch - ``` - - The command prints the `elastic` user password and an enrollment token for {{kib}}. - -2. Copy the generated `elastic` password and enrollment token. These credentials are only shown when you start {{es}} for the first time. - - ::::{note} - If you need to reset the password for the `elastic` user or other built-in users, run the [`elasticsearch-reset-password`](elasticsearch://reference/elasticsearch/command-line-tools/reset-password.md) tool. To generate new enrollment tokens for {{kib}} or {{es}} nodes, run the [`elasticsearch-create-enrollment-token`](elasticsearch://reference/elasticsearch/command-line-tools/create-enrollment-token.md) tool. These tools are available in the {{es}} `bin` directory. - - :::: - - - We recommend storing the `elastic` password as an environment variable in your shell. Example: - - ```sh - export ELASTIC_PASSWORD="your_password" - ``` - -3. (Optional) Open a new terminal and verify that you can connect to your {{es}} cluster by making an authenticated call. - - ```shell - curl --cacert config/certs/http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200 - ``` - -4. From the directory where you installed {{kib}}, start {{kib}}. - - ```shell - bin/kibana - ``` - -5. Enroll {{kib}} using either interactive or detached mode. - - * **Interactive mode** (browser) - - 1. In your terminal, click the generated link to open {{kib}} in your browser. - 2. In your browser, paste the enrollment token that you copied and click the button to connect your {{kib}} instance with {{es}}. - - ::::{note} - {{kib}} won’t enter interactive mode if it detects existing credentials for {{es}} (`elasticsearch.username` and `elasticsearch.password`) or an existing URL for `elasticsearch.hosts`. - - :::: - - * **Detached mode** (non-browser) - - Run the `kibana-setup` tool and pass the generated enrollment token with the `--enrollment-token` parameter. - - ```sh - bin/kibana-setup --enrollment-token - ``` - -## Enroll additional nodes in your cluster [stack-enroll-nodes] - -:::{include} /deploy-manage/deploy/self-managed/_snippets/enroll-nodes.md +:::{note} +In {{es}} RPM and Debian package installations, the `elastic` user password is not output at startup and must be [manually reset](/deploy-manage/users-roles/cluster-or-deployment-auth/built-in-sm.md#using-elasticsearch-reset-password). ::: -## Connect clients to {{es}} [_connect_clients_to_es_5] - -:::{include} /deploy-manage/deploy/self-managed/_snippets/connect-clients.md -::: - -### Use the CA fingerprint [_use_the_ca_fingerprint_5] - -:::{include} /deploy-manage/deploy/self-managed/_snippets/ca-fingerprint.md -::: - -### Use the CA certificate [_use_the_ca_certificate_5] - -:::{include} /deploy-manage/deploy/self-managed/_snippets/ca-cert.md -::: - -## What’s next? [_whats_next] - -Congratulations! You’ve successfully started the {{stack}} with security enabled. {{es}} and {{kib}} are secured with TLS on the HTTP layer, and internode communication is encrypted. If you want to enable HTTPS for web traffic, you can [encrypt traffic between your browser and {{kib}}](set-up-basic-security-plus-https.md#encrypt-kibana-browser). +To learn how to start {{es}} and {{kib}} with security enabled, follow one of our installation guides. Select the product that you want to install, and then select the guide your preferred installation method: +* [Install {{es}}](/deploy-manage/deploy/self-managed/installing-elasticsearch.md#installation-methods) +* [Install {{kib}}](/deploy-manage/deploy/self-managed/install-kibana.md#install) ## Security certificates and keys [stack-security-certificates] diff --git a/deploy-manage/security/self-setup.md b/deploy-manage/security/self-setup.md index 4e96aaaa7a..55044f9afc 100644 --- a/deploy-manage/security/self-setup.md +++ b/deploy-manage/security/self-setup.md @@ -34,7 +34,7 @@ This automatic setup is the quickest way to get started and ensures your cluster The automatic configuration does not enable TLS on the {{kib}} HTTP endpoint. To encrypt browser traffic to {{kib}}, follow the steps in [](./set-up-basic-security-plus-https.md#encrypt-kibana-browser). :::: -Refer to [Automatic security setup](./self-auto-setup.md) for details about the full procedure, including [cases where it may be skipped](./self-auto-setup.md#stack-skip-auto-configuration). +Refer to [Automatic security setup](./self-auto-setup.md) to learn more, including a list of automatically generated security certificates and keys, and [cases where the security setup may be skipped](./self-auto-setup.md#stack-skip-auto-configuration). ## Manual configuration [manual-configuration] diff --git a/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md b/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md index 90df231cf0..3622e9f343 100644 --- a/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md +++ b/deploy-manage/tools/cross-cluster-replication/set-up-cross-cluster-replication.md @@ -30,7 +30,7 @@ In this guide, you’ll learn how to: You can manually create follower indices to replicate specific indices on a remote cluster, or configure auto-follow patterns to replicate rolling time series indices. ::::{tip} -If you want to replicate data across clusters in the cloud, you can [configure remote clusters on {{{ecloud}}](/deploy-manage/remote-clusters/ec-enable-ccs.md). Then, you can [search across clusters](../../../solutions/search/cross-cluster-search.md) and set up {{ccr}}. +If you want to replicate data across clusters in the cloud, you can [configure remote clusters on {{ecloud}}](/deploy-manage/remote-clusters/ec-enable-ccs.md). Then, you can [search across clusters](../../../solutions/search/cross-cluster-search.md) and set up {{ccr}}. :::: diff --git a/raw-migrated-files/stack-docs/elastic-stack/installing-stack-demo-self.md b/raw-migrated-files/stack-docs/elastic-stack/installing-stack-demo-self.md deleted file mode 100644 index 2d1759a821..0000000000 --- a/raw-migrated-files/stack-docs/elastic-stack/installing-stack-demo-self.md +++ /dev/null @@ -1,638 +0,0 @@ -# Tutorial 1: Installing a self-managed {{stack}} [installing-stack-demo-self] - -This tutorial demonstrates how to install and configure the {{stack}} in a self-managed environment. Following these steps, you’ll set up a three node {{es}} cluster, with {{kib}}, {{fleet-server}}, and {{agent}}, each on separate hosts. The {{agent}} will be configured with the System integration, enabling it to gather local system logs and metrics and deliver them into the {{es}} cluster. Finally, you’ll learn how to view the system data in {{kib}}. - -It should take between one and two hours to complete these steps. - -::::{important} -If you’re using these steps to configure a production cluster that uses trusted CA-signed certificates for secure communications, after completing Step 6 to install {{kib}} we recommend jumping directly to [Tutorial 2: Securing a self-managed {{stack}}](../../../deploy-manage/security/secure-your-cluster-deployment.md). - -The second tutorial includes steps to configure security across the {{stack}}, and then to set up {{fleet-server}} and {{agent}} with SSL certificates enabled. - -:::: - - - -## Prerequisites and assumptions [install-stack-self-prereqs] - -To get started, you’ll need the following: - -* A set of virtual or physical hosts on which to install each stack component. -* On each host, a super user account with `sudo` privileges. - -The examples in this guide use RPM packages to install the {{stack}} components on hosts running Red Hat Enterprise Linux 8. The steps for other install methods and operating systems are similar, and can be found in the documentation linked from each section. The packages that you’ll install are: - -* [https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-9.0.0-beta1-x86_64.rpm](https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-9.0.0-beta1-x86_64.rpm) -* [https://artifacts.elastic.co/downloads/kibana/kibana-9.0.0-beta1-x86_64.rpm](https://artifacts.elastic.co/downloads/kibana/kibana-9.0.0-beta1-x86_64.rpm) -* [https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.0.0-beta1-linux-x86_64.tar.gz](https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.0.0-beta1-linux-x86_64.tar.gz) - -::::{note} -For {{agent}} and {{fleet-server}} (both of which use the elastic-agent-9.0.0-beta1-linux-x86_64.tar.gz package) we recommend using TAR/ZIP packages over RPM/DEB system packages, since only the former support upgrading using {{fleet}}. -:::: - - -Special considerations such as firewalls and proxy servers are not covered here. - -For the basic ports and protocols required for the installation to work, refer to the following overview section. - - -## {{stack}} overview [install-stack-self-overview] - -Before starting, take a moment to familiarize yourself with the {{stack}} components. - -:::{image} /raw-migrated-files/images/elastic-stack-stack-install-final-state.png -:alt: Image showing the relationships between stack components -::: - -To learn more about the {{stack}} and how each of these components are related, refer to [An overview of the {{stack}}](../../../get-started/the-stack.md). - - -## Step 1: Set up the first {{es}} node [install-stack-self-elasticsearch-first] - -To begin, use RPM to install {{es}} on the first host. This initial {{es}} instance will serve as the master node. - -1. Log in to the host where you’d like to set up your first {{es}} node. -2. Create a working directory for the installation package: - - ```shell - mkdir elastic-install-files - ``` - -3. Change into the new directory: - - ```shell - cd elastic-install-files - ``` - -4. Download the {{es}} RPM and checksum file from the {{artifact-registry}}. You can find details about these steps in the section [Download and install the RPM manually](../../../deploy-manage/deploy/self-managed/install-elasticsearch-with-rpm.md#install-rpm). - - ```sh - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-9.0.0-beta1-x86_64.rpm - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-9.0.0-beta1-x86_64.rpm.sha512 - ``` - -5. Confirm the validity of the downloaded package by checking the SHA of the downloaded RPM against the published checksum: - - ```sh - shasum -a 512 -c elasticsearch-9.0.0-beta1-x86_64.rpm.sha512 - ``` - - The command should return: `elasticsearch--x86_64.rpm: OK`. - -6. Run the {{es}} install command: - - ```sh - sudo rpm --install elasticsearch-9.0.0-beta1-x86_64.rpm - ``` - - The {{es}} install process enables certain security features by default, including the following: - - * Authentication and authorization are enabled, including a built-in `elastic` superuser account. - * Certificates and keys for TLS are generated for the transport and HTTP layer, and TLS is enabled and configured with these keys and certificates. - -7. Copy the terminal output from the install command to a local file. In particular, you’ll need the password for the built-in `elastic` superuser account. The output also contains the commands to enable {{es}} to run as a service, which you’ll use in the next step. -8. Run the following two commands to enable {{es}} to run as a service using `systemd`. This enables {{es}} to start automatically when the host system reboots. You can find details about this and the following steps in [Running {{es}} with `systemd`](../../../deploy-manage/maintenance/start-stop-services/start-stop-elasticsearch.md#start-deb). - - ```sh - sudo systemctl daemon-reload - sudo systemctl enable elasticsearch.service - ``` - - - -## Step 2: Configure the first {{es}} node for connectivity [install-stack-self-elasticsearch-config] - -Before moving ahead to configure additional {{es}} nodes, you’ll need to update the {{es}} configuration on this first node so that other hosts are able to connect to it. This is done by updating the settings in the `elasticsearch.yml` file. For details about all available settings refer to [Configuring {{es}}](../../../deploy-manage/deploy/self-managed/configure-elasticsearch.md). - -1. In a terminal, run the `ifconfig` command and copy the value for the host inet IP address (for example, `10.128.0.84`). You’ll need this value later. -2. Open the {{es}} configuration file in a text editor, such as `vim`: - - ```sh - sudo vim /etc/elasticsearch/elasticsearch.yml - ``` - -3. In a multi-node {{es}} cluster, all of the {{es}} instances need to have the same name. - - In the configuration file, uncomment the line `#cluster.name: my-application` and give the {{es}} instance any name that you’d like: - - ```yaml - cluster.name: elasticsearch-demo - ``` - -4. By default, {{es}} runs on `localhost`. In order for {{es}} instances on other nodes to be able to join the cluster, you’ll need to set up {{es}} to run on a routable, external IP address. - - Uncomment the line `#network.host: 192.168.0.1` and replace the default address with the value that you copied from the `ifconfig` command output. For example: - - ```yaml - network.host: 10.128.0.84 - ``` - -5. {{es}} needs to be enabled to listen for connections from other, external hosts. - - Uncomment the line `#transport.host: 0.0.0.0`. The `0.0.0.0` setting enables {{es}} to listen for connections on all available network interfaces. Note that in a production environment you might want to restrict this by setting this value to match the value set for `network.host`. - - ```yaml - transport.host: 0.0.0.0 - ``` - - ::::{tip} - You can find details about the `network.host` and `transport.host` settings in the {{es}} [Networking](elasticsearch://reference/elasticsearch/configuration-reference/networking-settings.md) documentation. - :::: - -6. Save your changes and close the editor. - - -## Step 3: Start {{es}} [install-stack-self-elasticsearch-start] - -1. Now, it’s time to start the {{es}} service: - - ```sh - sudo systemctl start elasticsearch.service - ``` - - If you need to, you can stop the service by running `sudo systemctl stop elasticsearch.service`. - -2. Make sure that {{es}} is running properly. - - ```sh - sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200 - ``` - - In the command, replace `$ELASTIC_PASSWORD` with the `elastic` superuser password that you copied from the install command output. - - If all is well, the command returns a response like this: - - ```js - { - "name" : "Cp9oae6", - "cluster_name" : "elasticsearch", - "cluster_uuid" : "AT69_C_DTp-1qgIJlatQqA", - "version" : { - "number" : "{version_qualified}", - "build_type" : "{build_type}", - "build_hash" : "f27399d", - "build_flavor" : "default", - "build_date" : "2016-03-30T09:51:41.449Z", - "build_snapshot" : false, - "lucene_version" : "{lucene_version}", - "minimum_wire_compatibility_version" : "1.2.3", - "minimum_index_compatibility_version" : "1.2.3" - }, - "tagline" : "You Know, for Search" - } - ``` - -3. Finally, check the status of {{es}}: - - ```shell - sudo systemctl status elasticsearch - ``` - - As with the previous `curl` command, the output should confirm that {{es}} started successfully. Type `q` to exit from the `status` command results. - - - -## Step 4: Set up a second {{es}} node [install-stack-self-elasticsearch-second] - -To set up a second {{es}} node, the initial steps are similar to those that you followed for [Step 1: Set up the first {{es}} node](#install-stack-self-elasticsearch-first). - -1. Log in to the host where you’d like to set up your second {{es}} instance. -2. Create a working directory for the installation package: - - ```shell - mkdir elastic-install-files - ``` - -3. Change into the new directory: - - ```shell - cd elastic-install-files - ``` - -4. Download the {{es}} RPM and checksum file: - - ```sh - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-9.0.0-beta1-x86_64.rpm - wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-9.0.0-beta1-x86_64.rpm.sha512 - ``` - -5. Check the SHA of the downloaded RPM: - - ```sh - shasum -a 512 -c elasticsearch-9.0.0-beta1-x86_64.rpm.sha512 - ``` - -6. Run the {{es}} install command: - - ```sh - sudo rpm --install elasticsearch-9.0.0-beta1-x86_64.rpm - ``` - - Unlike the setup for the first {{es}} node, in this case you don’t need to copy the output of the install command, since these settings will be updated in a later step. - -7. Enable {{es}} to run as a service: - - ```sh - sudo systemctl daemon-reload - sudo systemctl enable elasticsearch.service - ``` - - ::::{important} - Don’t start the {{es}} service yet! There are a few more configuration steps to do before restarting. - :::: - -8. To enable this second {{es}} node to connect to the first, you need to configure an enrollment token. - - ::::{important} - Be sure to run all of these configuration steps before starting the {{es}} service. - - You can find additional details about these steps in [Reconfigure a node to join an existing cluster](../../../deploy-manage/deploy/self-managed/install-elasticsearch-with-rpm.md#_reconfigure_a_node_to_join_an_existing_cluster_2) and also in [Enroll nodes in an existing cluster](../../../deploy-manage/maintenance/add-and-remove-elasticsearch-nodes.md#_enroll_nodes_in_an_existing_cluster_5). - - :::: - - - Return to your terminal shell on the first {{es}} node and generate a node enrollment token: - - ```shell - sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node - ``` - -9. Copy the generated enrollment token from the command output. - - ::::{tip} - Note the following tips about enrollment tokens: - - 1. An enrollment token has a lifespan of 30 minutes. In case the `elasticsearch-reconfigure-node` command returns an `Invalid enrollment token` error, try generating a new token. - 2. Be sure not to confuse an [{{es}} enrollment token](../../../deploy-manage/maintenance/add-and-remove-elasticsearch-nodes.md) (for enrolling {{es}} nodes in an existing cluster) with a [{{kib}} enrollment token](../../../deploy-manage/maintenance/start-stop-services/start-stop-kibana.md#run-kibana-from-command-line) (to enroll your {{kib}} instance with {{es}}, as described in the next section). These two tokens are not interchangeable. - - :::: - -10. In the terminal shell for your second {{es}} node, pass the enrollment token as a parameter to the `elasticsearch-reconfigure-node` tool: - - ```shell - sudo /usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token - ``` - - In the command, replace `] master node changed {previous [], current [...]} - ``` - - Here, `hostname1` is your first {{es}} instance node, and `hostname2` is your second {{es}} instance node. - - The message indicates that the second {{es}} node has successfully contacted the initial {{es}} node and joined the cluster. - -19. As a final check, run the following `curl` request on the new node to confirm that {{es}} is still running properly and viewable at the new node’s `localhost` IP address. Note that you need to replace `$ELASTIC_PASSWORD` with the same `elastic` superuser password that you used on the first {{es}} node. - - ```sh - sudo curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic:$ELASTIC_PASSWORD https://localhost:9200 - ``` - - ```js - { - "name" : "Cp9oae6", - "cluster_name" : "elasticsearch", - "cluster_uuid" : "AT69_C_DTp-1qgIJlatQqA", - "version" : { - "number" : "{version_qualified}", - "build_type" : "{build_type}", - "build_hash" : "f27399d", - "build_flavor" : "default", - "build_date" : "2016-03-30T09:51:41.449Z", - "build_snapshot" : false, - "lucene_version" : "{lucene_version}", - "minimum_wire_compatibility_version" : "1.2.3", - "minimum_index_compatibility_version" : "1.2.3" - }, - "tagline" : "You Know, for Search" - } - ``` - - - -## Step 5: Set up additional {{es}} nodes [install-stack-self-elasticsearch-third] - -To set up your next {{es}} node, follow exactly the same steps as you did previously in [Step 4: Set up a second {{es}} node](#install-stack-self-elasticsearch-second). The process is identical for each additional {{es}} node that you would like to add to the cluster. As a recommended best practice, create a new enrollment token for each new node that you add. - - -## Step 6: Install {{kib}} [install-stack-self-kibana] - -As with {{es}}, you can use RPM to install {{kib}} on another host. You can find details about all of the following steps in the section [Install {{kib}} with RPM](../../../deploy-manage/deploy/self-managed/install-kibana-with-rpm.md#install-rpm). - -1. Log in to the host where you’d like to install {{kib}} and create a working directory for the installation package: - - ```shell - mkdir kibana-install-files - ``` - -2. Change into the new directory: - - ```shell - cd kibana-install-files - ``` - -3. Download the {{kib}} RPM and checksum file from the Elastic website. - - ```sh - wget https://artifacts.elastic.co/downloads/kibana/kibana-9.0.0-beta1-x86_64.rpm - wget https://artifacts.elastic.co/downloads/kibana/kibana-9.0.0-beta1-x86_64.rpm.sha512 - ``` - -4. Confirm the validity of the downloaded package by checking the SHA of the downloaded RPM against the published checksum: - - ```sh - shasum -a 512 -c kibana-9.0.0-beta1-x86_64.rpm.sha512 - ``` - - The command should return: `kibana--x86_64.rpm: OK`. - -5. Run the {{kib}} install command: - - ```sh - sudo rpm --install kibana-9.0.0-beta1-x86_64.rpm - ``` - -6. As with each additional {{es}} node that you added, to enable this {{kib}} instance to connect to the first {{es}} node, you need to configure an enrollment token. - - Return to your terminal shell into the first {{es}} node. - -7. Run the `elasticsearch-create-enrollment-token` command with the `-s kibana` option to generate a {{kib}} enrollment token: - - ```shell - sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana - ``` - -8. Copy the generated enrollment token from the command output. -9. Back on the {{kib}} host, run the following two commands to enable {{kib}} to run as a service using `systemd`, enabling {{kib}} to start automatically when the host system reboots. - - ```sh - sudo systemctl daemon-reload - sudo systemctl enable kibana.service - ``` - -10. Before starting the {{kib}} service there’s one configuration change to make, to set {{kib}} to run on the {{es}} host IP address. This is done by updating the settings in the `kibana.yml` file. For details about all available settings refer to [Configure {{kib}}](kibana://reference/configuration-reference/general-settings.md). -11. In a terminal, run the `ifconfig` command and copy the value for the host inet IP address. -12. Open the {{kib}} configuration file for editing: - - ```sh - sudo vim /etc/kibana/kibana.yml - ``` - -13. Uncomment the line `#server.host: localhost` and replace the default address with the inet value that you copied from the `ifconfig` command. For example: - - ```yaml - server.host: 10.128.0.28 - ``` - -14. Save your changes and close the editor. -15. Start the {{kib}} service: - - ```sh - sudo systemctl start kibana.service - ``` - - If you need to, you can stop the service by running `sudo systemctl stop kibana.service`. - -16. Run the `status` command to get details about the {{kib}} service. - - ```sh - sudo systemctl status kibana - ``` - -17. In the `status` command output, a URL is shown with: - - * A host address to access {{kib}} - * A six digit verification code - - For example: - - ```sh - Kibana has not been configured. - Go to http://10.128.0.28:5601/?code= to get started. - ``` - - Make a note of the verification code. - -18. Open a web browser to the external IP address of the {{kib}} host machine, for example: `http://:5601`. - - It can take a minute or two for {{kib}} to start up, so refresh the page if you don’t see a prompt right away. - -19. When {{kib}} starts you’re prompted to provide an enrollment token. Paste in the {{kib}} enrollment token that you generated earlier. -20. Click **Configure Elastic**. -21. If you’re prompted to provide a verification code, copy and paste in the six digit code that was returned by the `status` command. Then, wait for the setup to complete. -22. When you see the **Welcome to Elastic** page, provide the `elastic` as the username and provide the password that you copied in Step 1, from the `install` command output when you set up your first {{es}} node. -23. Click **Log in**. - -{{kib}} is now fully set up and communicating with your {{es}} cluster! - -**IMPORTANT: Stop here if you intend to configure SSL certificates.** - -::::{important} -For simplicity, in this tutorial we’re setting up all of the {{stack}} components without configuring security certificates. You can proceed to configure {{fleet}}, {{agent}}, and then confirm that your system data appears in {{kib}}. - -However, in a production environment, before going further to install {{fleet-server}} and {{agent}} it’s recommended to update your security settings to use trusted CA-signed certificates as described in [Tutorial 2: Securing a self-managed {{stack}}](../../../deploy-manage/security/secure-your-cluster-deployment.md). - -After new security certificates are configured any {{agent}}s would need to be reinstalled. If you’re currently setting up a production environment, we recommend that you jump directly to Tutorial 2, which includes steps to secure the {{stack}} using certificates and then to set up {{fleet}} and {{agent}} with those certificates already in place. - -:::: - - - -## Step 7: Install {{fleet-server}} [install-stack-self-fleet-server] - -Now that {{kib}} is up and running, you can install {{fleet-server}}, which will manage the {{agent}} that you’ll set up in a later step. If you need more detail about these steps, refer to [Deploy on-premises and self-managed](/reference/fleet/add-fleet-server-on-prem.md) in the {{fleet}} and {{agent}} Guide. - -1. Log in to the host where you’d like to set up {{fleet-server}}. -2. Create a working directory for the installation package: - - ```shell - mkdir fleet-install-files - ``` - -3. Change into the new directory: - - ```shell - cd fleet-install-files - ``` - -4. In the terminal, run `ifconfig` and copy the value for the host inet IP address (for example, `10.128.0.84`). You’ll need this value later. -5. Back to your web browser, open the {{kib}} menu and go to **Management → Fleet**. {{fleet}} opens with a message that you need to add a {{fleet-server}}. -6. Click **Add Fleet Server**. The **Add a Fleet Server** flyout opens. -7. In the flyout, select the **Quick Start** tab. -8. Specify a name for your {{fleet-server}} host, for example `Fleet Server`. -9. Specify the host URL where {{agents}} will reach {{fleet-server}}, for example: `http://10.128.0.203:8220`. This is the inet value that you copied from the `ifconfig` output. - - Be sure to include the port number. Port `8220` is the default used by {{fleet-server}} in an on-premises environment. Refer to [Default port assignments](/reference/fleet/add-fleet-server-on-prem.md#default-port-assignments-on-prem) in the on-premises {{fleet-server}} install documentation for a list of port assignments. - -10. Click **Generate Fleet Server policy**. A policy is created that contains all of the configuration settings for the {{fleet-server}} instance. -11. On the **Install Fleet Server to a centralized host** step, for this example we select the **Linux Tar** tab, but you can instead select the tab appropriate to the host operating system where you’re setting up {{fleet-server}}. - - Note that TAR/ZIP packages are recommended over RPM/DEB system packages, since only the former support upgrading {{fleet-server}} using {{fleet}}. - -12. Copy the generated commands and then run them one-by-one in the terminal on your {{fleet-server}} host. - - These commands will, respectively: - - 1. Download the {{fleet-server}} package from the {{artifact-registry}}. - 2. Unpack the package archive. - 3. Change into the directory containing the install binaries. - 4. Install {{fleet-server}}. - - If you’d like to learn about the install command options, refer to [`elastic-agent install`](/reference/fleet/agent-command-reference.md#elastic-agent-install-command) in the {{agent}} command reference. - -13. At the prompt, enter `Y` to install {{agent}} and run it as a service. Wait for the installation to complete. -14. In the {{kib}} **Add a Fleet Server** flyout, wait for confirmation that {{fleet-server}} has connected. -15. For now, ignore the **Continue enrolling Elastic Agent** option and close the flyout. - -{{fleet-server}} is now fully set up! - - -## Step 8: Install {{agent}} [install-stack-self-elastic-agent] - -Next, you’ll install {{agent}} on another host and use the System integration to monitor system logs and metrics. - -1. Log in to the host where you’d like to set up {{agent}}. -2. Create a working directory for the installation package: - - ```shell - mkdir agent-install-files - ``` - -3. Change into the new directory: - - ```shell - cd agent-install-files - ``` - -4. Open {{kib}} and go to **Management → Fleet**. -5. On the **Agents** tab, you should see your new {{fleet-server}} policy running with a healthy status. -6. Open the **Settings** tab. -7. Reopen the **Agents** tab and select **Add agent**. The **Add agent** flyout opens. -8. In the flyout, choose a policy name, for example `Demo Agent Policy`. -9. Leave **Collect system logs and metrics** enabled. This will add the [System integration](https://docs.elastic.co/integrations/system) to the {{agent}} policy. -10. Click **Create policy**. -11. For the **Enroll in Fleet?** step, leave **Enroll in Fleet** selected. -12. On the **Install Elastic Agent on your host** step, for this example we select the **Linux Tar** tab, but you can instead select the tab appropriate to the host operating system where you’re setting up {{fleet-server}}. - - As with {{fleet-server}}, note that TAR/ZIP packages are recommended over RPM/DEB system packages, since only the former support upgrading {{agent}} using {{fleet}}. - -13. Copy the generated commands. -14. In the `sudo ./elastic-agent install` command, make two changes: - - 1. For the `--url` parameter, check that the port number is set to `8220` (used for on-premises {{fleet-server}}). - 2. Append an `--insecure` flag at the end. - - ::::{tip} - If you want to set up secure communications using SSL certificates, refer to [Tutorial 2: Securing a self-managed {{stack}}](../../../deploy-manage/security/secure-your-cluster-deployment.md). - :::: - - - The result should be like the following: - - ```shell - sudo ./elastic-agent install --url=https://10.128.0.203:8220 --enrollment-token=VWCobFhKd0JuUnppVYQxX0VKV5E6UmU3BGk0ck9RM2HzbWEmcS4Bc1YUUM== - ``` - -15. Run the commands one-by-one in the terminal on your {{agent}} host. The commands will, respectively: - - 1. Download the {{agent}} package from the {{artifact-registry}}. - 2. Unpack the package archive. - 3. Change into the directory containing the install binaries. - 4. Install {{agent}}. - -16. At the prompt, enter `Y` to install {{agent}} and run it as a service. Wait for the installation to complete. - - If everything goes well, the install will complete successfully: - - ```shell - Elastic Agent has been successfully installed. - ``` - -17. In the {{kib}} **Add agent** flyout, wait for confirmation that {{agent}} has connected. -18. Close the flyout. - -Your new {{agent}} is now installed an enrolled with {{fleet-server}}. - - -## Step 9: View your system data [install-stack-self-view-data] - -Now that all of the components have been installed, it’s time to view your system data. - -View your system log data: - -1. Open the {{kib}} menu and go to **Analytics → Dashboard**. -2. In the query field, search for `Logs System`. -3. Select the `[Logs System] Syslog dashboard` link. The {{kib}} Dashboard opens with visualizations of Syslog events, hostnames and processes, and more. - -View your system metrics data: - -1. Open the {{kib}} menu and return to **Analytics → Dashboard**. -2. In the query field, search for `Metrics System`. -3. Select the `[Metrics System] Host overview` link. The {{kib}} Dashboard opens with visualizations of host metrics including CPU usage, memory usage, running processes, and others. - - :::{image} /raw-migrated-files/images/elastic-stack-install-stack-metrics-dashboard.png - :alt: The System metrics host overview showing CPU usage, memory usage, and other visualizations - ::: - - -Congratulations! You’ve successfully set up a three node {{es}} cluster, with {{kib}}, {{fleet-server}}, and {{agent}}. - - -## Next steps [install-stack-self-next-steps] - -Now that you’ve successfully configured an on-premises {{stack}}, you can learn how to configure the {{stack}} in a production environment using trusted CA-signed certificates. Refer to [Tutorial 2: Securing a self-managed {{stack}}](../../../deploy-manage/security/secure-your-cluster-deployment.md) to learn more. - -You can also start using your newly set up {{stack}} right away: - -* Do you have data ready to ingest? Learn how to [add data to Elasticsearch](../../../manage-data/ingest.md). -* Use [Elastic {{observability}}](https://www.elastic.co/observability) to unify your logs, infrastructure metrics, uptime, and application performance data. -* Want to protect your endpoints from security threats? Try [{{elastic-sec}}](https://www.elastic.co/security). Adding endpoint protection is just another integration that you add to the agent policy!