Install Cortex XSOAR with Elasticsearch

Install Cortex XSOAR with Elasticsearch as the database. Prerequisites and instructions for installing a new Cortex XSOAR environment with Elasticsearch.
Verify the following information and requirements before you install Cortex XSOAR with Elasticsearch.
  • Your deployment meets the System Requirements.
  • You have root access.
  • Elasticsearch 7.x is installed. Elasticsearch should not be installed on the same server as Cortex XSOAR.
  • The production server has Python 2.7 or 3.x.
Elasticsearch is a distributed, open source search and analytics engine for all types of data. It enables processing and storing large amounts of data. As of Cortex XSOAR version 6.1, if you are using Elasticsearch as your database, all objects are stored in Elasticsearch.
Working with Elasticsearch for only indicators or audit logs is no longer supported
The following diagram depicts a Cortex XSOAR environment with Elasticsearch.
The following provides instructions for installing a new Cortex XSOAR environment with Elasticsearch.
It is recommended to install the
Elasticsearch Monitoring
Content Pack from the Marketplace to monitor Elasticsearch. After installation, add the
Elasticsearch Monitoring
dashboard, which includes various widgets to monitor Elasticsearch cluster status and track statistics.
  1. Download Cortex XSOAR from the link that you received from Cortex XSOAR Support by running the following command.
    wget -O demistoserver-xxxx.sh “
    <downloadLink>
    For example,
    wget -O demistoserver-6.2.1.sh “https://download.demisto.com/download-params?token=xabcedef&email=user@paloaltonetworks.com&eula=accept”
  2. (Optional)
    If you are deploying Cortex XSOAR using a signed installer (GPG), you need to import the GPG public key that was provided with the signed installer.
    For example, you can use the
    rpm --import public.key
    command to import the public key into the local GPG keyring. Note that each operating system has specific requirements.
  3. (Optional)
    If you are deploying Cortex XSOAR using a signed installer (GPG) you might need to manually install the
    makeself
    package by running the
    yum install makeself
    command.
  4. Run the
    chmod +x demistoserver-xxxx.sh
    command to convert the
    .sh
    file to an executable file.
  5. To install the app server with Elasticsearch, run one of the following commands:
    • If using username and password authentication:
      sudo ./demistoserver-xxxx.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-username=<the elasticsearch user name> -elasticsearch-password=<the elasticsearch password>
    • If using API key authentication:
      sudo ./demistoserver-X.sh -- -elasticsearch-url=<elastic search url address> -elasticsearch-api-key=<the elasticsearch API key>
    Flag
    Type
    Description
    -elasticsearch-url
    String
    Elasticsearch URL addresses (comma-separated). For example,
    http://test1:9200,http://test2:9200
    -elasticsearch-api-key
    String
    The Elasticsearch API key, which should be used in licensed versions.
    Note:
    If you use this flag, you do not need to use the
    -elasticsearch-username
    and
    -elasticsearch-password
    flags.
    -elasticsearch-username
    String
    The Elasticsearch username. This flag is used with the
    -elasticsearch-password
    flag.
    Note:
    If you use this flag, you do not need to use the
    -elasticsearch-url
    flag.
    -elasticsearch-password
    String
    The Elasticsearch password. This flag is used with the
    -elasticsearch-username
    flag.
    Note:
    If you use this flag, you do not need to use the
    -elasticsearch-url
    flag.
    -elasticsearch-proxy
    Boolean
    Whether to use a proxy when communicating with Elasticsearch. Can be
    true
    or
    false
    . Default is
    false
    .
    -elasticsearch-insecure
    Boolean
    Whether to trust any certificate when communicating with Elasticsearch. Can be
    true
    or
    false
    . Default is
    false
    .
    -elasticsearch-timeout
    Integer
    The amount of time (in seconds) before Elasticsearch times out. Default is 20 seconds.
  6. Accept the EULA and add the information when prompted.
  7. (
    Optional)
    After the installation has completed, do the following:
    1. Confirm that the Cortex XSOAR server status is active, by running the
      systemctl status demisto
      command.
      If the server is not active, run the
      systemctl start demisto
      command to start the server.
    2. Confirm that the Docker service status is active, by running the
      systemctl status docker
      command.
    3. In a web browser, go to the
      https://
      serverURL
      :
      port
      to verify that Cortex XSOAR was successfully installed.
      When you open Cortex XSOAR for the first time you need to add the license.

Recommended For You