Installation instructions for standard Cortex XSOAR single server deployments, with the app server and database server on the same machine. Minimum requirements.
In a standard Cortex XSOAR deployment, the app server and database server are installed on the same machine.
If you are deploying a signed installer:
You need to import the public key to the operating system. The public key is valid for six months.
If you are using engines or hosts in a multi-tenant environment, you need to install
makeself
.
Installation File Structure
This is the file and folder structure in a standard Cortex XSOAR installation.
By default, the .sh file is in /home/<user-name>
. The .sh file installs the demistoserver_xxxxx.amd64.deb
file in the /usr/local/demisto
folder. You can change the default folder, if necessary.
Asset | Path |
---|---|
Binaries |
|
Data |
|
Logs |
|
Configuration |
|
Reports |
|
Install Log |
|
If you want to create different mounts for the /var/lib/demisto
, /var/lib/docker
, and /tmp
partitions, it is recommended to allocate the following space to each partition (dependent on the expected amount of data, and the size of your incidents and indicators).
/var/lib/demisto
: 200 GB (development) 1000 GB (production)If using Elasticsearch, see Elasticsearch System Requirements.
If using Docker -
/var/lib/docker
: 70 GB (development) 150 GB (production)If using Podman -
/home
: 70 GB (development) 150 GB (production)/tmp
: 10 GB (development and production)
Prerequisites
Verify the following information and requirements before you install Cortex XSOAR.
Your deployment meets the minimum system requirements.
You have root access.
Download Cortex XSOAR from the link that you received from Cortex XSOAR Support by running the following command.
wget -O demisto.sh “
<downloadLink>
”Note
When you receive a link to download, ensure that the
downloadLink
link refers tohttps://download.demisto.com
and nothttps://download.demisto.works
.For example,
wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept”
To download the latest vendor affirmed FIPS version, append
&downloadName=fips
. For example,wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept&downloadName=fips”
(Optional) If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer.
For example, you can use the
rpm --import public.key
command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.(Optional) If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the
makeself
package by running theyum install makeself
command.Run the
chmod +x demisto.sh
command to convert the.sh
file to an executable file.Execute the
.sh
file, by running the following command.sudo ./demisto.sh
Accept the EULA and add the information when prompted.
The Server HTTPS port (default is 443)
If you are using Elasticsearch, enter the Elasticsearch details, such as the URL, timeout, etc.
Type the name of the Admin user (default is admin).
Type the password (default is admin).
( Optional) After the installation has completed, do the following:
Confirm that the Cortex XSOAR server status is active, by running the
systemctl status demisto
command.If the server is not active, run the
systemctl start demisto
command to start the server.Confirm that the Docker service status is active, by running the
systemctl status docker
command.In a web browser, go to the
https://
to verify that Cortex XSOAR was successfully installed.serverURL
:port
When you open Cortex XSOAR for the first time you need to add the license.
Troubleshooting
In some cases, due to moving previous installation files, the installation can fail and the following error message is displayed:
mv: cannot stat '/var/lib/dpkg/info/demistoserver.postrm': No such file or directory Failed to execute: 'mv': exit status 1
There are two options to resolve this issue:
Make a note of the path to the
demistoserver.postrm
file. Rerun the installation using this path for the-- -prev-uninstall-script
flag. Example:-- -prev-uninstall-script="/path/to/demistoserver.postrm"
Rerun the installation with the flag
-- -use-prev-uninstall-script=true
. Note that if you use this flag and have previously created a special ID & group for demisto users, the demisto user and group are deleted and recreated during installation.
Installer Flags
List of supported flags for installing Cortex XSOAR.
The following information applies to both single server and multi-tenant installations.
The following is the list of supported flags that follow the -- separator for installing Cortex XSOAR.
Flag | Type | Description |
---|---|---|
| N/A | (CentOS) Tells yum to run entirely from system cache, and does not download or update any headers unless it has to perform the requested action. |
| Boolean | Whether to back up server data when upgrading the Cortex XSOAR server. Default is |
| Boolean | Whether to back up server data for tenants when upgrading the Cortex XSOAR server. Default is |
| String | The server |
| String | Used to provide a custom installation path, different from the default |
| String | Forces the Linux distro (such as CentOS, Debian, or Debian New). |
| N/A | Prevents starting the server when the installation or upgrade is complete. |
| N/A | Sets up the disaster recovery server. |
| String | Elasticsearch URL addresses (comma-separated). For example, |
| String | The Elasticsearch API key, which should be used in licensed versions. |
| String | The Elasticsearch username. |
| String | The Elasticsearch password. |
| Boolean | Whether to use a proxy when communicating with Elasticsearch. Can be |
| Boolean | Whether to trust any certificate when communicating with Elasticsearch. Can be |
| Integer | The amount of time (in seconds) before Elasticsearch times out. Default is 20 seconds. |
| String | Defines the unique prefix a Cortex XSOAR server uses when naming the Elasticsearch indices it creates |
| String | The external address of the instance during installation. |
| Boolean | Whether to install Cortex XSOAR git. Default is true. |
| N/A | Displays installation help. |
| Boolean | Whether to index entries. |
| String | The one-time configuration file. The default location is |
| String | The path for the uninstall script. The default location is |
| N/A | Removes the existing Cortex XSOAR installation. |
| Boolean | Restores the entries index. If |
| String | When installing the server you can select the default Cortex XSOAR user name. |
| String | When installing the server, you can select the default Cortex XSOAR group name. |
| String | Replaces the |
| Boolean | Installs the required tools. The default is |
| N/A | (For Cortex XSOAR upgrades) The script that deletes the Cortex XSOAR user and group is not run. |
| N/A | Answer all installer questions with y/yes, including the Cortex XSOAR EULA. |
Flags that precede and include the -- separator
Use the following flags to get help or information about the ./demisto.sh
file.
Flag | Description |
---|---|
| Prints a message. |
| Prints embedded information, including title, default target directory, or embedded script. |
| Prints an embedded LSM entry, if one exists. |
| Prints a list of files located in the archive. |
| Checks the integrity of the archive. |
Use the following flags to run the ./demisto.sh
file.
Flag | Description |
---|---|
| Prompts you to confirm before running an embedded script. |
| Prints only error messages. |
| Accepts the Cortex XSOAR license. |
| Embedded scripts are not run. |
| The target directory is not deleted after running an embedded script. |
| Progress is hidden during decompression. |
| An xterm is not spawned. |
| Extracted files are not given to users. |
| Disk space is not checked for available space. |
| Extracts directly to an absolute or relative target directory. |
| Accesses the archive contents. |