You must install Elasticsearch and the required plug-ins on each external node of the Elasticsearch cluster.
To install and configure Elasticsearch:
Install the JDK version supported by Elasticsearch.
Download the certified version of Elasticsearch RPM. For information about the certified version of Elasticsearch and the download URL, see the Sentinel System Requirements page.
Install Elasticsearch:
rpm -ivh elasticsearch-<version>.rpm
Complete the tasks as mentioned on-screen in the RPM post-installation instructions.
Ensure that the Elasticsearch user has access to Java.
Configure the /etc/elasticsearch/elasticsearch.yml file by updating or adding the following information:
Property and Value |
Notes |
---|---|
discovery.seed_hosts: [<IP of the master eligible elasticsearch node in the cluster>,<IP of the master eligible elasticsearch node in the cluster>, <IP of the master eligible elasticsearch node in the cluster>, and so on] |
|
cluster.name: <Elasticsearch _cluster_name> |
The cluster name that you specify must be same for all the nodes. |
node.name: <node_name> |
The node name must be unique for each node. |
network.host: _<networkInterface>:ipv4_ |
|
thread_pool.write.queue_size: 300 |
|
thread_pool.search.queue_size: 10000 |
Once the search queue size reaches its limit, Elasticsearch discards any pending search requests in queue. You can increase the search queue size based on the below calculation:threadpool.search.queue_size = Average number of widget queries per user for a dashboard x number of shards (per day index) x number of days (search duration) |
index.codec: best_compression |
|
path.data: ["/<es1>", "/<es2>"] |
Spread data across multiple independent disks or locations to reduce the disk I/O latency. Configure multiple paths for storing Elasticsearch data. For example /es1, /es2, and so on. For best performance and manageability, mount each path to a separate physical disk (JBOD). |
Update the default Elasticsearch heap size in the <Sentinel_installation_path>/etc/elasticsearch/jvm.options file.
The heap size must be 50% of the server memory. For example, on a 24 GB Elasticsearch node, allocate 12 GB as the heap size for optimal performance.
Repeat all of the above steps on each external Elasticsearch nodes of the Elasticsearch cluster.
In the Sentinel server Elasticsearch node, configure the <Sentinel_installation_path>/opt/novell/sentinel/3drparty/elasticsearch/config/elasticsearch.yml as follows:
Ensure that the values of cluster.name and discovery.seed_hosts in the elasticsearch.yml file are same as the elasticsearch.yml file in external Elasticsearch node.
(Conditional) If you have not enabled the Event Visualization component, then
specify the localhost IP address followed by the IP address of the local Elasticsearch node in the network.host property as follows:
network.host: ["127.0.0.1","<IP_address_of_the_Elasticsearch_node_in_ Sentinel>"]
(Conditional) For Sentinel with traditional storage, add the external Elasticsearch nodes IP addresses to the ServerList property in the <Sentinel_installation_path>/etc/opt/novell/sentinel/config/elasticsearch-index.properties file.
For example: ServerList=<Elasticsearch_IP1>:<Port>,<Elasticsearch IP2>:<Port>
Restart Sentinel:
rcsentinel restart
Restart each external Elasticsearch node:
/etc/init.d/elasticsearch restart
Verify that the ES cluster is formed:
curl -X GET http://<Elasticsearch_IP_of_the_Sentinel_server>:<Port>/_cat/nodes?v
Ensure that all the existing alert data and event data (if available), it must be moved to the external Elasticsearch nodes.
For optimal performance and stability of the Sentinel server, configure the Elasticsearch node in the Sentinel server as a dedicated master-eligible node so that all the event visualization data is indexed in external Elasticsearch nodes:
Stop the internal node (Sentinel server)
rcsentinel stopES
Set the following in the internal node:
node.master: true node.data: false node.ingest: false
Run elasticsearch-node repurpose to clean all the shards
<Sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/bin/elasticsearch-node -v repurpose
Start the internal Elasticsearch node
rcsentinel startES
Restart each external Elasticsearch node:
/etc/init.d/elasticsearch restart
Proceed with Securing Data in Elasticsearch.
IMPORTANT:Whenever an external Elasticsearch node goes down, the ES cluster restarts automatically, due to which, there might be a temporary issue in launching dashboards through Kibana and alert search.
When the Sentinel server is restarted ensure that you restart the external Elasticsearch nodes as well.