Install the Server with Elasticsearch - Install Cortex XSOAR with Elasticsearch as the database. Prerequisites and instructions for installing a new Cortex XSOAR environment with Elasticsearch. - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2025-10-27
End_of_Life
EoL
Category
Administrator Guide
Abstract

Install Cortex XSOAR with Elasticsearch as the database. Prerequisites and instructions for installing a new Cortex XSOAR environment with Elasticsearch.

Verify the following information and requirements before you install Cortex XSOAR with Elasticsearch.

  • Your deployment meets the minimum system requirements.System Requirements

  • Your Elasticsearch deployment meets the Elasticsearch System Requirements.Elasticsearch System Requirements

  • You have root access.

  • Elasticsearch 7.x is installed. Elasticsearch should not be installed on the same server as Cortex XSOAR.

  • The production server has Python 2.7 or 3.x.

Elasticsearch is a distributed, open source search and analytics engine for all types of data. It enables processing and storing large amounts of data. In Cortex XSOAR v6.1 and later, if you are using Elasticsearch as your database, all objects are stored in Elasticsearch.

Note

Working with Elasticsearch for only indicators or audit logs is no longer supported.

The following diagram depicts a Cortex XSOAR environment with Elasticsearch.

xsoar-elasticsearch-install.png

Note

It is recommended to install the Elasticsearch Monitoring content pack from the Marketplace to monitor Elasticsearch. After installation, add the Elasticsearch Monitoring dashboard, which includes various widgets to monitor Elasticsearch cluster status and track statistics.

How to install Cortex XSOAR with Elasticsearch

  1. Log in to Cortex Gateway.

  2. In the Available for Activation section, use the serial number to locate the tenant to download.

    By default, the Production-Standalone license is selected. You can also select Dev.

    If you want to use a production and a development tenant with a private remote repository, select Dev. If you don't select it now, you can install a development tenant later.

  3. Select Download On Prem.

  4. Under Choose Download Option, select Installer.

  5. Select the checkbox to agree to the terms and conditions of the license and click Download.

    Tip

    In Google Chrome, to download the image and license files together, you may need to set the browser SettingsPrivacy and securitySite settingsAdditional permissionsAutomatic downloads to the default behavior Sites can ask to automatically download multiple files.

    Two files download: the demistoserver-xxxxx.sh installer file and a zipped JSON license file.

    Note

    You can copy the download link button from the Downloads section in your browser to get the token needed for offline installation.

  6. Click Next.

  7. (Optional) If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer.

    For example, you can use the rpm --import public.key command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.

  8. (Optional) If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the makeself package by running the yum install makeself command.

  9. Run the chmod +x demistoserver-xxxx.sh command to convert the .sh file to an executable file.

  10. Install the app server with Elasticsearch by running one of the following commands:

    • If using username and password authentication: sudo ./demisto.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-username=<the elasticsearch user name> -elasticsearch-password=<the elasticsearch password>

    • If using API key authentication: sudo ./demisto.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-api-key=<the elasticsearch API key>

    Flag

    Type

    Description

    -elasticsearch-url

    String

    Elasticsearch URL addresses (comma-separated). For example, http://test1:9200,http://test2:9200

    -elasticsearch-api-key

    String

    The Elasticsearch API key, which should be used in licensed versions.

    Note: If you use this flag, you do not need to use the -elasticsearch-username and -elasticsearch-password flags.

    -elasticsearch-username

    String

    The Elasticsearch username. This flag is used with the -elasticsearch-password flag.

    Note: If you use this flag, you do not need to use the -elasticsearch-api-key flag.

    -elasticsearch-password

    String

    The Elasticsearch password. This flag is used with the -elasticsearch-username flag.

    Note: If you use this flag, you do not need to use the -elasticsearch-api-key flag.

    -elasticsearch-proxy=

    Boolean

    Whether to use a proxy when communicating with Elasticsearch. Can be true or false. Default is false.

    -elasticsearch-insecure=

    Boolean

    Whether to trust any certificate when communicating with Elasticsearch. Can be true or false. Default is false.

    -elasticsearch-timeout

    Integer

    The amount of time (in seconds) before Elasticsearch times out. Default is 20 seconds.

    -elasticsearch-prefix

    String

    Defines the unique prefix a Cortex XSOAR server uses when naming the Elasticsearch indices it creates

  11. Accept the EULA and add the information when prompted.

  12. (Optional) After the installation has completed, do the following:

    1. Confirm that the Cortex XSOAR server status is active, by running the systemctl status demisto command.

      If the server is not active, run the systemctl start demisto command to start the server.

    2. Confirm that the Docker service status is active, by running the systemctl status docker command.

    3. In a web browser, go to the https://serverURL:port to verify that Cortex XSOAR was successfully installed.

      When you open Cortex XSOAR for the first time you need to add the license.