12.2 Installing and Configuring Elasticsearch

You must install Elasticsearch and the required plug-ins on each external node of the Elasticsearch cluster.

To install and configure Elasticsearch:

  1. Install the JDK version supported by Elasticsearch.

  2. Download the certified version of Elasticsearch RPM. For information about the certified version of Elasticsearch and the download URL, see the Sentinel System Requirements page.

  3. Install Elasticsearch:

    rpm -ivh elasticsearch-<version>.rpm

  4. Complete the tasks as mentioned on-screen in the RPM post-installation instructions.

  5. Ensure that the Elasticsearch user has access to Java.

  6. Configure the /etc/elasticsearch/elasticsearch.yml file by updating or adding the following information:

    Property and Value

    Notes

    discovery.seed_hosts: [<IP of the master eligible elasticsearch node in the cluster>,<IP of the master eligible elasticsearch node in the cluster>, <IP of the master eligible elasticsearch node in the cluster>, and so on]

     

    cluster.name: <Elasticsearch _cluster_name>

    The cluster name that you specify must be same for all the nodes.

    node.name: <node_name>

    The node name must be unique for each node.

    network.host: _<networkInterface>:ipv4_

     

    thread_pool.write.queue_size: 300

     

    thread_pool.search.queue_size: 10000

    Once the search queue size reaches its limit, Elasticsearch discards any pending search requests in queue.

    You can increase the search queue size based on the below calculation:threadpool.search.queue_size = Average number of widget queries per user for a dashboard x number of shards (per day index) x number of days (search duration)

    index.codec: best_compression 

     

    path.data: ["/<es1>", "/<es2>"]

    Spread data across multiple independent disks or locations to reduce the disk I/O latency.

    Configure multiple paths for storing Elasticsearch data. For example /es1, /es2, and so on.

    For best performance and manageability, mount each path to a separate physical disk (JBOD).

  7. Update the default Elasticsearch heap size in the <Sentinel_installation_path>/etc/elasticsearch/jvm.options file.

    The heap size must be 50% of the server memory. For example, on a 24 GB Elasticsearch node, allocate 12 GB as the heap size for optimal performance.

  8. Repeat all of the above steps on each external Elasticsearch nodes of the Elasticsearch cluster.

  9. In the Sentinel server Elasticsearch node, configure the <Sentinel_installation_path>/opt/novell/sentinel/3drparty/elasticsearch/config/elasticsearch.yml as follows:

    1. Ensure that the values of cluster.name and discovery.seed_hosts in the elasticsearch.yml file are same as the elasticsearch.yml file in external Elasticsearch node.

    2. (Conditional) If you have not enabled the Event Visualization component, then

      specify the localhost IP address followed by the IP address of the local Elasticsearch node in the network.host property as follows:

      network.host: ["127.0.0.1","<IP_address_of_the_Elasticsearch_node_in_ Sentinel>"]

  10. (Conditional) For Sentinel with traditional storage, add the external Elasticsearch nodes IP addresses to the ServerList property in the <Sentinel_installation_path>/etc/opt/novell/sentinel/config/elasticsearch-index.properties file.

    For example: ServerList=<Elasticsearch_IP1>:<Port>,<Elasticsearch IP2>:<Port>

  11. Restart Sentinel:

    rcsentinel restart

  12. Restart each external Elasticsearch node:

    /etc/init.d/elasticsearch restart

  13. Verify that the ES cluster is formed:

    curl -X GET http://<Elasticsearch_IP_of_the_Sentinel_server>:<Port>/_cat/nodes?v

  14. Ensure that all the existing alert data and event data (if available), it must be moved to the external Elasticsearch nodes.

  15. For optimal performance and stability of the Sentinel server, configure the Elasticsearch node in the Sentinel server as a dedicated master-eligible node so that all the event visualization data is indexed in external Elasticsearch nodes:

    1. Stop the internal node (Sentinel server)

      rcsentinel stopES

    2. Set the following in the internal node:

      node.master: true 
node.data: false 
node.ingest: false

    3. Run elasticsearch-node repurpose to clean all the shards

      <Sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/bin/elasticsearch-node -v repurpose

    4. Start the internal Elasticsearch node

      rcsentinel startES

    5. Restart each external Elasticsearch node:

      /etc/init.d/elasticsearch restart

  16. Proceed with Securing Data in Elasticsearch.

IMPORTANT:Whenever an external Elasticsearch node goes down, the ES cluster restarts automatically, due to which, there might be a temporary issue in launching dashboards through Kibana and alert search.

When the Sentinel server is restarted ensure that you restart the external Elasticsearch nodes as well.