Deploying the Elastic Stack in an Air-Gapped environment – Part 2

Install Elasticsearch and Kibana

In the previous post, we gathered all the required packages and transferred them to our air-gapped environment. In part 2, I’ll guide you through installing and connecting Elasticsearch and Kibana.

Install Elasticsearch

On the Elasticsearch server, navigate to the directory you copied the Elasticsearch Deb file to and run:

#replace X.X.X with your version

sudo dpkg -i elasticsearch-X.X.X-amd64.deb 

This will install Elasticsearch and generate the elastic superuser password (make a note of this as you’ll need it later!).

Run the following commands to reload the systemd manager configuration, enable and start Elasticsearch:

sudo systemct daemon-reload
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch

I’m only using one node, but if you want to add another node to the cluster, generate an enrolment token:

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node

We will be using the Kibana enrolment token, generate it with the following command and make a note of the enrolment token:

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

Install Kibana

On the Kibana server, navigate to the directory you copied the Kibana Deb file to and run:

#replace X.X.X with your version

sudo dpkg -i kibana-X.X.X-amd64.deb
sudo /usr/share/kibana/bin/kibana-setup --enrollment-token <enrollment-token>

If you are accessing Kibana from anywhere other than the local host, you will need to edit the kibana.yml file to allow remote connectivity:

sudo nano /etc/kibana/kibana.yml

Uncomment and add the following:

server.host: "your-kibana-ip"

Run the following commands to reload the systemd manager configuration, enable and start Kibana:

sudo systemct daemon-reload
sudo systemctl enable kibana
sudo systemctl start kibana

Navigate to <your-kibana-ip>:5601 in a web browser and log in with the elastic password that was auto generated in the earlier steps. If required, you can reset the password using the following command:

sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password –u elastic

Enable TLS between Kibana and browser (optional)

Use this guide to implement TLS between Kibana and your browser if you have your own CA. If not, use the built in Elasticsearch Cert-Util.

Use the following command to generate a CA certificate and key.

/usr/share/elasticseaarch/bin/elasticsearch-certutil ca –pem

Name it ca.zip and unzip the file. Use the following commands to generate a Kibana certificate and key.

/usr/share/elasticseaarch/bin/elasticsearch-certutil cert --name kibana --ca-cert /usr/share/elasticsearch/ca/ca.crt --ca-key /usr/share/elasticsearch/ca/ca.key --dns <your-kibana-hostname> --ip <your-kibana-ip> --pem

Name it kibana.zip and unzip the file

Copy the cert and key to the relevant server, if using the same server for Elasticsearch an Kibana copy the files to /etc/kibana/ and ensure they are accessible by the Kibana user:

sudo chown –R kibana: kibana

Update the kibana.yml file to enable TLS and reference the certificate and key:

nano /etc/kibana/kibana.yml

Restart the kibana service:

sudo systemctl restart kibana

Now, when you connect to Kibana through the browser, ensure you use https://<kibana-ip&gt;:5601

Click advanced and continue to the Kibana server.

If using self-signed certificates, you can add the CA to trusted certificate authorities on your device to avoid the above error.

Next time…

Now we have Elasticsearch and Kibana up and running, we are ready to set up fleet, see you in part 3!