Elasticsearch Installation - Installation Guide - 6.13 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Installation Guide

Product
Cortex XSOAR
Version
6.13
Creation date
2024-04-15
Last date published
2024-10-09
Category
Installation Guide
Abstract

Instructions for installing a single server deployment with an Elasticsearch database.

The following provides instructions for installing a new Cortex XSOAR environment with Elasticsearch.

Prerequisites

Verify the following information and requirements before you install Cortex XSOAR with Elasticsearch.

  • Your deployment meets the Elasticsearch System Requirements.Elasticsearch System Requirements

  • You have root access.

  • Elasticsearch is installed. Elasticsearch should not be installed on the same server as Cortex XSOAR.

  • The production server has Python 2.7 or 3.x.

  • If you are installing on an Oracle Linux operating system, you need to manually Install Docker.Docker Installation

  • If you are installing on CentOS v7, you need Mirantis Container Runtime (formerly Docker Engine - Enterprise) or Red Hat's Docker distribution to run specific Docker-dependent integrations and automations. For more information see Install Docker Distribution for Red Hat on Cortex XSOAR.Install Docker Distribution for Red Hat on Cortex XSOAR

If you are deploying a signed installer, you need to import the public key to the operating system. The public key is valid for six months.

It is recommended to install the Elasticsearch Monitoring content pack from the Marketplace to monitor Elasticsearch. After installation, add the Elasticsearch Monitoring dashboard, which includes various widgets to monitor Elasticsearch cluster status and track statistics.

Installation File Structure

For information about the default installation file structure, see Installation File Structure.

Installer Flags

For the list of supported installer flags, see Elasticsearch Installer Flags

  1. Download Cortex XSOAR from the link that you received from Cortex XSOAR Support by running the following command.

    wget -O demisto.sh “<downloadLink>

    Note

    When you receive a link to download, ensure that the downloadLink link refers to https://download.demisto.com and not https://download.demisto.works.

    For example, wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept”

    To download the latest vendor affirmed FIPS version, append &downloadName=fips. For example, wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept&downloadName=fips”

  2. (Optional) If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer.

    For example, you can use the rpm --import public.key command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.

  3. (Optional) If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the makeself package by running the yum install makeself command.

  4. Run the chmod +x demistoserver-xxxx.sh command to convert the .sh file to an executable file.

  5. To install the app server with Elasticsearch, run one of the following commands:

    • If using username and password authentication: sudo ./demisto.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-username=<the elasticsearch user name> -elasticsearch-password=<the elasticsearch password>

    • If using API key authentication: sudo ./demisto.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-api-key=<the elasticsearch API key>

  6. Accept the EULA and add the information when prompted.

  7. (Optional) After the installation has completed, do the following:

    1. Confirm that the Cortex XSOAR server status is active, by running the systemctl status demisto command.

      If the server is not active, run the systemctl start demisto command to start the server.

    2. Confirm that the Docker service status is active, by running the systemctl status docker command.

    3. In a web browser, go to the https://serverURL:port to verify that Cortex XSOAR was successfully installed.

      When you open Cortex XSOAR for the first time you need to add the license.