End-of-Life (EoL)

Install Cortex XSOAR with Elasticsearch

Verify the following information and requirements before you install Cortex XSOAR with Elasticsearch.
  • Your deployment meets the minimum system requirements.
  • You have root access.
  • Elasticsearch 7.x is installed. Elasticsearch should not be installed on the same server as Cortex XSOAR.
  • The production server has Python 2.7 or 3.x.
Elasticsearch is a distributed, open source search and analytics engine for all types of data. It enables processing and storing large amounts of data. In this version of Cortex XSOAR, indicators and audits are stored in Elasticsearch while other objects are stored in the Cortex XSOAR’s Bolt DB.
The following diagram depicts a Cortex XSOAR environment with Elasticsearch.
The following provides instructions for installing a new Cortex XSOAR environment with Elasticsearch.
  1. Download the server package from the link you received from Cortex XSOAR Support.
    demistoserver.xxxx.sh
  2. (Optional)
    If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer.
    For example, you can use the
    rpm --import public.key
    command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.
  3. (Optional)
    If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the
    makeself
    package by running the
    yum install makeself
    command.
  4. Run the
    chmod +x demistoserver-xxxx.sh
    command to convert the
    .sh
    file to an executable file.
  5. To install the app server with Elasticsearch, run one of the following commands:
    • If using username and password authentication:
      sudo ./demistoserver-X.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-username=<the elasticsearch user name> -elasticsearch-password=<the elasticsearch password>
    • If using API key authentication:
      sudo ./demistoserver-X.sh-- -elasticsearch-url=<elastic search url address> -elasticsearch-api-key=<the elasticsearch API key>
    Flag
    Type
    Description
    -elasticsearch-url
    String
    Elasticsearch URL addresses (comma-separated). For example,
    http://test1:9200,http://test2:9200
    -elasticsearch-api-key
    String
    The Elasticsearch API key, which should be used in licensed versions.
    Note:
    If you use this flag, you do not need to use the
    -elasticsearch-username
    and
    -elasticsearch-password
    flags.
    -elasticsearch-username
    String
    The Elasticsearch username. This flag is used with the
    -elasticsearch-password
    flag.
    Note:
    If you use this flag, you do not need to use the
    -elasticsearch-url
    flag.
    -elasticsearch-password
    String
    The Elasticsearch password. This flag is used with the
    -elasticsearch-username
    flag.
    Note:
    If you use this flag, you do not need to use the
    -elasticsearch-url
    flag.
    -elasticsearch-proxy
    Boolean
    Whether to use a proxy when communicating with Elasticsearch. Can be
    true
    or
    false
    . Default is
    false
    .
    -elasticsearch-insecure
    Boolean
    Whether to trust any certificate when communicating with Elasticsearch. Can be
    true
    or
    false
    . Default is
    true
    .
    -elasticsearch-timeout
    Integer
    The amount of time (in seconds) before Elasticsearch times out. Default is 20 seconds.

Recommended For You