Install Cortex XSOAR for a Single Server Deployment - Administrator Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.8
Creation date
2022-09-28
Last date published
2024-04-08
End_of_Life
EoL
Category
Administrator Guide
Abstract

Installation instructions for standard Cortex XSOAR single server deployments, with the app server and database server on the same machine. Minimum requirements.

In a standard Cortex XSOAR deployment, the app server and database server are installed on the same machine.

If you are deploying a signed installer:

  • You need to import the public key to the operating system. The public key is valid for six months.

  • If you are using engines or hosts in a multi-tenant environment, you need to install makeself.

Installation File Structure

This is the file and folder structure in a standard Cortex XSOAR installation.

By default, the .sh file is in /home/<user-name>. The .sh file installs the demistoserver_xxxxx.amd64.deb file in the /usr/local/demisto folder. You can change the default folder, if necessary.

Asset

Path

Binaries

/usr/local/demisto

Data

/var/lib/demisto

Logs

/var/log/demisto

Configuration

/etc/demisto.conf (not created if defaults are selected during installation)

Reports

/tmp/demisto_install.log

Install Log

/tmp/demisto_install.log

If you want to create different mounts for the /var/lib/demisto, /var/lib/docker, and /tmp partitions, it is recommended to allocate the following space to each partition (dependent on the expected amount of data, and the size of your incidents and indicators).

  • /var/lib/demisto: 200 GB (development) 1000 GB (production)

    If using Elasticsearch, see Elasticsearch System Requirements.

  • If using Docker - /var/lib/docker: 70 GB (development) 150 GB (production)

  • If using Podman - /home: 70 GB (development) 150 GB (production)

  • /tmp: 10 GB (development and production)

Prerequisites

Verify the following information and requirements before you install Cortex XSOAR.

  1. Download Cortex XSOAR from the link that you received from Cortex XSOAR Support by running the following command.

    wget -O demisto.sh “ <downloadLink>

    Note

    When you receive a link to download, ensure that the downloadLink link refers to https://download.demisto.com and not https://download.demisto.works.

    For example, wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept”

    To download the latest vendor affirmed FIPS version, append &downloadName=fips. For example, wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept&downloadName=fips”

  2. (Optional) If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer.

    For example, you can use the rpm --import public.key command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.

  3. (Optional) If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the makeself package by running the yum install makeself command.

  4. Run the chmod +x demisto.sh command to convert the .sh file to an executable file.

  5. Execute the .sh file, by running the following command.

    sudo ./demisto.sh

  6. Accept the EULA and add the information when prompted.

    1. The Server HTTPS port (default is 443)

    2. If you are using Elasticsearch, enter the Elasticsearch details, such as the URL, timeout, etc.

    3. Type the name of the Admin user (default is admin).

    4. Type the password (default is admin).

  7. ( Optional) After the installation has completed, do the following:

    1. Confirm that the Cortex XSOAR server status is active, by running the systemctl status demisto command.

      If the server is not active, run the systemctl start demisto command to start the server.

    2. Confirm that the Docker service status is active, by running the systemctl status docker command.

    3. In a web browser, go to the https://serverURL:port to verify that Cortex XSOAR was successfully installed.

      When you open Cortex XSOAR for the first time you need to add the license.

Troubleshooting

In some cases, due to moving previous installation files, the installation can fail and the following error message is displayed:

mv: cannot stat '/var/lib/dpkg/info/demistoserver.postrm': No such file or directory
Failed to execute: 'mv': exit status 1

There are two options to resolve this issue:

  • Make a note of the path to the demistoserver.postrm file. Rerun the installation using this path for the -- -prev-uninstall-script flag. Example: -- -prev-uninstall-script="/path/to/demistoserver.postrm"

  • Rerun the installation with the flag -- -use-prev-uninstall-script=true. Note that if you use this flag and have previously created a special ID & group for demisto users, the demisto user and group are deleted and recreated during installation.

Installer Flags
Abstract

List of supported flags for installing Cortex XSOAR.

The following information applies to both single server and multi-tenant installations.

The following is the list of supported flags that follow the -- separator for installing Cortex XSOAR.

Flag

Type

Description

-C

N/A

(CentOS) Tells yum to run entirely from system cache, and does not download or update any headers unless it has to perform the requested action.

-backup

Boolean

Whether to back up server data when upgrading the Cortex XSOAR server. Default is true.

-backup-tenants

Boolean

Whether to back up server data for tenants when upgrading the Cortex XSOAR server. Default is true.

-conffile

String

The server .conf file. The default location is /etc/demisto.conf.

-data-dir

String

Used to provide a custom installation path, different from the default /var/lib/demisto directory. Example: sudo ./demisto.sh -- -data-dir /xsoar

-distro

String

Forces the Linux distro (such as CentOS, Debian, or Debian New).

-do-not-start-server

N/A

Prevents starting the server when the installation or upgrade is complete.

-dr

N/A

Sets up the disaster recovery server.

-elasticsearch-url

String

Elasticsearch URL addresses (comma-separated). For example, http://test1:9200,http://test2:9200

-elasticsearch-api-key

String

The Elasticsearch API key, which should be used in licensed versions.

-elasticsearch-username

String

The Elasticsearch username.

-elasticsearch-password

String

The Elasticsearch password.

-elasticsearch-proxy

Boolean

Whether to use a proxy when communicating with Elasticsearch. Can be true or false. Default is false.

-elasticsearch-insecure

Boolean

Whether to trust any certificate when communicating with Elasticsearch. Can be true or false. Default is false.

-elasticsearch-timeout

Integer

The amount of time (in seconds) before Elasticsearch times out. Default is 20 seconds.

-elasticsearch-prefix

String

Defines the unique prefix a Cortex XSOAR server uses when naming the Elasticsearch indices it creates

-external-address

String

The external address of the instance during installation.

-git

Boolean

Whether to install Cortex XSOAR git. Default is true.

-h

N/A

Displays installation help.

-index-entries

Boolean

Whether to index entries.

-otc

String

The one-time configuration file. The default location is /var/lib/demisto/otc.conf.json.

-prev-uninstall-script

String

The path for the uninstall script. The default location is /var/lib/dpkg/info/demistoserver.postrm.

-purge

N/A

Removes the existing Cortex XSOAR installation.

-restore-entries

Boolean

Restores the entries index. If false, it prevents restoring the entries index. The default is true.

-system-user-name=

String

When installing the server you can select the default Cortex XSOAR user name.

-system-group-name=

String

When installing the server, you can select the default Cortex XSOAR group name.

-temp-folder

String

Replaces the temp folder (located in /var/lib/demisto/temp) with temp-folder at installation. Useful when you cannot access the temp folder due to permission or storage issues.

-tools

Boolean

Installs the required tools. The default is true.

-use-prev-uninstall-script

N/A

(For Cortex XSOAR upgrades) The script that deletes the Cortex XSOAR user and group is not run.

-y

N/A

Answer all installer questions with y/yes, including the Cortex XSOAR EULA.

Flags that precede and include the -- separator

Use the following flags to get help or information about the ./demisto.sh file.

Flag

Description

--help

Prints a message.

--info

Prints embedded information, including title, default target directory, or embedded script.

--lsm

Prints an embedded LSM entry, if one exists.

--list

Prints a list of files located in the archive.

--check

Checks the integrity of the archive.

Use the following flags to run the ./demisto.sh file.

Flag

Description

--confirm

Prompts you to confirm before running an embedded script.

--quiet

Prints only error messages.

--accept

Accepts the Cortex XSOAR license.

--noexec

Embedded scripts are not run.

--keep

The target directory is not deleted after running an embedded script.

--noprogress

Progress is hidden during decompression.

--nox11

An xterm is not spawned.

--nochown

Extracted files are not given to users.

--nodiskspace

Disk space is not checked for available space.

--target dir

Extracts directly to an absolute or relative target directory.

--tar arg1[arg2...]

Accesses the archive contents.