# 2. Installing OpenDistro for Elasticsearch Plugins The Opendistro allows us to add plugins to our elastic stack, in particular the security plugin which will allow us to secure our stack and add further features like users and roles management, the alerting plugins which will allow us to create rules and send alerts via slack, webhooks and lately they added Email. {% hint style="warning" %} If you are using a cluster of nodes installing a plugin would only be successfully operational if it is installed on all nodes. {% endhint %} {% hint style="info" %} * Further information about Opendistro plugins can be found [here](https://opendistro.github.io/for-elasticsearch-docs/docs/install/plugins/) * We are running 7.8.0 so the compatible opendistro plugin version is 1.9.0.0 {% endhint %} ## Disable XPACK security First lets disable xpack security on both Elasticsearch and Kibana and add this line to their configuration files ```yaml xpack.security.enabled: false ``` ## Installing Security plugin for Elasticsearch Navigate to the Elasticsearch home directory (most likely, it is `/usr/share/elasticsearch`), and run the install command for each plugin. ``` $ sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-1.9.0.0.zip ``` ## Installing Alerting plugin for Elasticsearch Before installing alerting plugin, the job scheduler plugin is required to be able to send alerts and take data snapshots. ### Job Scheduler Plugin ``` $ sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-job-scheduler/opendistro-job-scheduler-1.9.0.0.zip ``` ### Alerting Plugin ``` $ sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-alerting/opendistro_alerting-1.9.0.1.zip ``` ## Installing Security Plugin for Kibana Elasticsearch security plugin has a corresponding Kibana plugin which would be a great addition in order to make management tasks easy from a UI. Navigate to the Kibana home directory (likely `/usr/share/kibana`) and run the install command for each plugin. ``` $ sudo bin/kibana-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-1.9.0.0.zip --allow-root ``` This plugin provides a user interface for managing users, roles, mappings, action groups, and tenants. ## Installing Alerting Plugin for Kibana This plugin provides a user interface for creating monitors and managing alerts. ``` $ sudo bin/kibana-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-alerting/opendistro-alerting-1.9.0.0.zip --allow-root ``` ## Setting up default certificates After installing the modules we must restart Elasticsearch and Kibana to take into account the installed plugins but before restarting them we must run the following script to generate the default certificates of opendistro {% hint style="warning" %} If you have a cluster, this step must be done on all Elasticsearch instances before restarting the Elasticsearch service {% endhint %} ``` $ chmod +x /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh $ /usr/share/elasticsearch/plugins/opendistro_security/tools/install_demo_configuration.sh $ sudo systemctl restart elasticsearch $ sudo systemctl restart kibana ``` Default credentials are **`admin:admin`** to test if everything is working check Elasticsearch response by running the following command ``` $ curl -XGET "https://localhost:9200/_cat/nodes?v" -u admin -k ``` {% hint style="warning" %} Generating our own certificates is not within the scope of this blog. so make sure you modify these certificates before putting this on production. {% endhint %} After restart you would notice some changes to Elasticsearch configuration file. ```yaml ######## Start OpenDistro for Elasticsearch Security Demo Configuration ######## # WARNING: revise all the lines below before you go into production opendistro_security.ssl.transport.pemcert_filepath: esnode.pem opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem opendistro_security.ssl.transport.enforce_hostname_verification: false opendistro_security.ssl.http.enabled: true opendistro_security.ssl.http.pemcert_filepath: esnode.pem opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem opendistro_security.allow_unsafe_democertificates: true opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: - CN=kirk,OU=client,O=client,L=test, C=de opendistro_security.audit.type: internal_elasticsearch opendistro_security.enable_snapshot_restore_privilege: true opendistro_security.check_snapshot_restore_write_privileges: true opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] cluster.routing.allocation.disk.threshold_enabled: false node.max_local_storage_nodes: 3 ######## End OpenDistro for Elasticsearch Security Demo Configuration ######## ``` ## Changing Logstash and Kibana's configuration Since we installed security plugin all communication now to our node is in https so we need to change their configurations accordingly. Copy demo certificates to accessible locations for kibana and logstash and change, if necessary, the owner and group of the files. ```yaml $ cp /etc/elasticsearch/esnode.pem /etc/elasticsearch/esnode-key.pem /etc/elasticsearch/root-ca.pem /etc/kibana/ $ cp /etc/elasticsearch/root-ca.pem /etc/logstash/ $ chown logstash:logstash /etc/logstash/root-ca.pem $ chown kibana:kibana /etc/kibana/esnode.pem /etc/kibana/esnode-key.pem /etc/kibana/root-ca.pem ``` ### Kibana.yml ```yaml server.port: 5601 server.host: "192.168.20.222" server.name: "elk-allinone" elasticsearch.hosts: ["https://localhost:9200"] ######### for demo purposes I am using the same user admin but you can create a dedicated user for communications between kibana and elasticsearch elasticsearch.username: "admin" elasticsearch.password: "admin" xpack.security.enabled: false ######### Enable SSL #################” server.ssl.enabled: true server.ssl.certificate: /etc/kibana/esnode.pem server.ssl.key: /etc/kibana/esnode-key.pem elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/root-ca.pem" ] elasticsearch.ssl.verificationMode: certificate ``` ```yaml $ sudo systemctl restart kiban ``` ### Logstash.yml ```yaml xpack.monitoring.enabled: true xpack.monitoring.elasticsearch.username: admin xpack.monitoring.elasticsearch.password: admin xpack.monitoring.elasticsearch.hosts: ["https://192.168.20.22:9200"] xpack.monitoring.elasticsearch.ssl.certificate_authority: /etc/logstash/root-ca.pem xpack.monitoring.elasticsearch.ssl.verification_mode: none ``` ![](https://1286158324-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO79pt4NiZPFhlGCglR%2F-MOOFjSn4DWLayXhnSYl%2F-MOOFvf0MViVkSMo_2oj%2Fimage.png?alt=media\&token=96f60571-273b-4558-b619-ef396b09f56c) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.unh4ck.com/building-an-open-siem-from-scratch/2.-installing-opendistro-for-elasticsearch-plugins.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.