Note the following:
If you are deploying a signed installer, you need to import the public key to the operating system. The public key is valid for six months.
If you are installing on an Oracle Linux operating system, you need to manually Install Docker.
If you are installing on RHEL v7 or CentOS v7, you need Mirantis Container Runtime (formerly Docker Engine - Enterprise) or Red Hat's Docker distribution to run specific Docker-dependent integrations and automations. For more information see Install Docker Distribution for Red Hat on Cortex XSOAR.
Installation File Structure
The following is the file and folder structure in a standard Cortex XSOAR installation.
By default, the .sh file is in /home/<user-name>
. The .sh file installs the demistoserver_xxxxx.amd64.deb
file in /usr/local/demisto
folder. You can change the default folder, if necessary.
Asset | Path |
---|---|
Binaries |
|
Data |
|
Logs |
|
Configuration |
|
Reports |
|
Install Log |
|
If you want to create different mounts for the /var/lib/demisto
, /var/lib/docker
, and /tmp
partitions, it is recommended to allocate the following space to each partition (dependent on the expected amount of data, and the size of your incidents and indicators).
/var/lib/demisto
: 200 GB (development) 1000 GB (production)If using Elasticsearch, see Elasticsearch System Requirements.
If using Docker -
/var/lib/docker
: 70 GB (development) 150 GB (production)If using Podman -
/home
: 70 GB (development) 150 GB (production)/tmp
: 10 GB (development and production)
Prerequisites
Verify the following information and requirements before you install Cortex XSOAR.
Your installation meets the system requirements.
You have root access.
Download Cortex XSOAR from the link that you received from Cortex XSOAR Support by running the following command.
wget -O demisto.sh “
<downloadLink>
”Note
When you receive a link to download, ensure that the
downloadLink
link refers tohttps://download.demisto.com
and nothttps://download.demisto.works
.For example,
wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept”
To download the latest vendor affirmed FIPS version, append
&downloadName=fips
. For example,wget -O demisto.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept&downloadName=fips”
(Optional) If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer.
For example, you can use the
rpm --import public.key
command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.(Optional) If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the
makeself
package by running theyum install makeself
command.Run the
chmod +x demisto.sh
command to convert the.sh
file to an executable file.Execute the
.sh
file, by running the following command.sudo ./demisto.sh
Accept the EULA and add the information when prompted.
The Server HTTPS port (default is 443)
Type
No
when asked if you are connecting to an Elasticsearch database.Type the name of the Admin user (default is admin).
Type the password (default is admin).
(Optional) After the installation has completed, do the following:
Confirm that the Cortex XSOAR server status is active, by running the
systemctl status demisto
command.If the server is not active, run the
systemctl start demisto
command to start the server.Confirm that the Docker service status is active, by running the
systemctl status docker
command.In a web browser, go to the
https://
to verify that Cortex XSOAR was successfully installed.serverURL
:port
When you open Cortex XSOAR for the first time you need to add the license.
Troubleshooting
In some cases, due to moving previous installation files, the installation can fail and the following error message is displayed:
mv: cannot stat '/var/lib/dpkg/info/demistoserver.postrm': No such file or directory Failed to execute: 'mv': exit status 1
There are two options to resolve this issue:
Make a note of the path to the
demistoserver.postrm
file. Rerun the installation using this path for the ---prev-uninstall-script
flag. Example:-- -prev-uninstall-script="/path/to/demistoserver.postrm"
Rerun the installation with the flag
-- -use-prev-uninstall-script=true
. Note that if you use this flag and have previously created a special ID & group for demisto users, the demisto user and group are deleted and recreated during installation.