Installing the ThreatLockDown indexer using the assisted installation method

Install and configure the ThreatLockDown indexer as a single-node or multi-node cluster using the assisted installation method. The ThreatLockDown indexer is a highly scalable full-text search engine. It offers advanced security, alerting, index management, deep performance analysis, and several other features.

ThreatLockDown indexer cluster installation

The installation process is divided into three stages.

  1. Initial configuration

  2. ThreatLockDown indexer nodes installation

  3. Cluster initialization

Note

You need root user privileges to run all the commands described below.

1. Initial configuration

Indicate your deployment configuration, create the SSL certificates to encrypt communications between the ThreatLockDown components, and generate random passwords to secure your installation.

  1. Download the ThreatLockDown installation assistant and the configuration file.

    # curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh
# curl -sO https://packages.wazuh.com/4.9/config.yml

  2. Edit ./config.yml and replace the node names and IP values with the corresponding names and IP addresses. You need to do this for all ThreatLockDown server, ThreatLockDown indexer, and ThreatLockDown dashboard nodes. Add as many node fields as needed.

    nodes:
  # ThreatLockDown indexer nodes
  indexer:
    - name: node-1
      ip: "<indexer-node-ip>"
    #- name: node-2
    #  ip: "<indexer-node-ip>"
    #- name: node-3
    #  ip: "<indexer-node-ip>"

  # ThreatLockDown server nodes
  # If there is more than one ThreatLockDown server
  # node, each one must have a node_type
  server:
    - name: wazuh-1
      ip: "<wazuh-manager-ip>"
    #  node_type: master
    #- name: wazuh-2
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker
    #- name: wazuh-3
    #  ip: "<wazuh-manager-ip>"
    #  node_type: worker

  # ThreatLockDown dashboard nodes
  dashboard:
    - name: dashboard
      ip: "<dashboard-node-ip>"

  3. Run the ThreatLockDown installation assistant with the option --generate-config-files to generate the ThreatLockDown cluster key, certificates, and passwords necessary for installation. You can find these files in ./wazuh-install-files.tar.

    # bash wazuh-install.sh --generate-config-files

  4. Copy the wazuh-install-files.tar file to all the servers of the distributed deployment, including the ThreatLockDown server, the ThreatLockDown indexer, and the ThreatLockDown dashboard nodes. This can be done by using the scp utility.

2. ThreatLockDown indexer nodes installation

Install and configure the ThreatLockDown indexer nodes.

  1. Download the ThreatLockDown installation assistant.

    # curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh

  2. Run the ThreatLockDown installation assistant with the option --wazuh-indexer and the node name to install and configure the ThreatLockDown indexer. The node name must be the same one used in config.yml for the initial configuration, for example, node-1.

    Note

    Make sure that a copy of wazuh-install-files.tar, created during the initial configuration step, is placed in your working directory.

    # bash wazuh-install.sh --wazuh-indexer node-1

Repeat this stage of the installation process for every ThreatLockDown indexer node in your cluster. Then proceed with initializing your single-node or multi-node cluster in the next stage.

3. Cluster initialization

The final stage of installing the ThreatLockDown indexer single-node or multi-node cluster consists of running the security admin script.

  1. Run the ThreatLockDown installation assistant with option --start-cluster on any ThreatLockDown indexer node to load the new certificates information and start the cluster.

    # bash wazuh-install.sh --start-cluster

    Note

    You only have to initialize the cluster once, there is no need to run this command on every node.

Testing the cluster installation

  1. Run the following command to get the admin password:

    # tar -axf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt -O | grep -P "\'admin\'" -A 1

  2. Run the following command to confirm that the installation is successful. Replace <ADMIN_PASSWORD> with the password gotten from the output of the previous command. Replace <WAZUH_INDEXER_IP> with the configured ThreatLockDown indexer IP address:

    # curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200

    {
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "095jEW-oRJSFKLz5wmo5PA",
  "version" : {
    "number" : "7.10.2",
    "build_type" : "rpm",
    "build_hash" : "db90a415ff2fd428b4f7b3f800a51dc229287cb4",
    "build_date" : "2023-06-03T06:24:25.112415503Z",
    "build_snapshot" : false,
    "lucene_version" : "9.6.0",
    "minimum_wire_compatibility_version" : "7.10.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}

  3. Replace <WAZUH_INDEXER_IP> and <ADMIN_PASSWORD>, and run the following command to check if the cluster is working correctly:

    # curl -k -u admin:<ADMIN_PASSWORD> https://<WAZUH_INDEXER_IP>:9200/_cat/nodes?v

Next steps

The ThreatLockDown indexer is now successfully installed, and you can proceed with installing the ThreatLockDown server. To perform this action, see the Installing the ThreatLockDown server using the assisted installation method section.