OpenSearch Installation and Configuration

Comprehensive guide for secure installation and configuration of OpenSearch 2.15, focusing on security best practices.

Introduction

OpenSearch is a distributed search and analytics engine, essential in modern security infrastructures—especially when integrated with SIEM solutions like Graylog and Wazuh. This guide walks you through the secure installation and configuration of OpenSearch 2.15, emphasizing security best practices such as certificate management, SSL/TLS setup, and network hardening.

Certificate Authority (CA) Setup

Creating a Root Certificate Authority

Establishing a proper Public Key Infrastructure (PKI) is critical for securing communication between OpenSearch nodes.

Generate a 4096-bit RSA private key for the CA:

openssl genrsa -out root-ca.key 4096

Create an OpenSSL configuration file (openssl-ca.cnf) with standardized certificate details:

[ req ]
default_bits        = 4096
prompt              = no
default_md          = sha256
distinguished_name  = dn

[ dn ]
C  = MA
ST = Casablanca
L  = Casablanca
O  = bonsaii.local
OU = IT-Department
CN = Bonsaii Organisation

[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

Generate the self-signed root CA certificate valid for 10 years:

openssl req -x509 -new -nodes -key root-ca.key -sha256 -days 3650 -out root-ca.crt -config openssl-ca.cnf -extensions v3_ca

Automated Certificate Generation for Wazuh Components

Wazuh provides tools to automate certificate generation for all components in your security infrastructure.

Download the Wazuh certificate tool and config template:

curl -sO https://packages.wazuh.com/4.12/wazuh-certs-tool.sh
curl -sO https://packages.wazuh.com/4.12/config.yml

Edit config.yml to define your infrastructure nodes (example for single-server deployment):

nodes:
  indexer:
    - name: node-1
      ip: "bonsaii.local"
  server:
    - name: wazuh-1
      ip: "bonsaii.local"
  dashboard:
    - name: dashboard
      ip: "bonsaii.local"

Generate certificates using your custom CA:

chmod +x wazuh-certs-tool.sh
./wazuh-certs-tool.sh -A /path/to/root-ca.crt /path/to/root-ca.key

Package certificates for deployment:

tar -cvf wazuh-certificates.tar -C ./wazuh-certificates/ .
rm -rf ./wazuh-certificates

OpenSearch Installation and Configuration

System Preparation

Update your system and install prerequisites:

sudo apt-get update && sudo apt-get install -y lsb-release ca-certificates curl gnupg2

Repository Configuration

Import the OpenSearch GPG key:

curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | sudo gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring

Add the OpenSearch 2.x repository:

echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | sudo tee /etc/apt/sources.list.d/opensearch-2.x.list
sudo apt-get update

Install OpenSearch 2.15.0 with an initial admin password:

sudo env OPENSEARCH_INITIAL_ADMIN_PASSWORD=<your-secure-password> apt-get install opensearch=2.15.0

Lock the package to prevent automatic upgrades:

sudo apt-mark hold opensearch

Initial Verification

Test OpenSearch REST API connectivity:

curl -X GET https://localhost:9200 -u 'admin:<your-secure-password>' --insecure

Expected JSON response will confirm the running OpenSearch version.

Security Configuration

Network and Cluster Settings

Edit /etc/opensearch/opensearch.yml to configure network and cluster options:

network.host: "bonsaii.local"  # Replace with your hostname or IP
discovery.type: single-node
plugins.security.disabled: false

SSL/TLS Certificate Deployment

Prepare certificate directory and deploy generated certificates:

NODE_NAME=node-1

mkdir -p /etc/opensearch/certs
tar -xf ./wazuh-certificates.tar -C /etc/opensearch/certs/ $NODE_NAME.pem $NODE_NAME-key.pem admin.pem admin-key.pem root-ca.pem

mv /etc/opensearch/certs/$NODE_NAME.pem /etc/opensearch/certs/indexer.pem
mv /etc/opensearch/certs/$NODE_NAME-key.pem /etc/opensearch/certs/indexer-key.pem

chmod 500 /etc/opensearch/certs
chmod 400 /etc/opensearch/certs/*
chown -R opensearch:opensearch /etc/opensearch/certs

Update /etc/opensearch/opensearch.yml with SSL/TLS and security settings:

node.name: "node-1"
network.host: "bonsaii.local"
discovery.type: single-node
node.max_local_storage_nodes: "3"

plugins.security.ssl.transport.pemcert_filepath: /etc/opensearch/certs/indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/opensearch/certs/indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: true

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: /etc/opensearch/certs/indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/opensearch/certs/indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/opensearch/certs/root-ca.pem

plugins.security.allow_default_init_securityindex: true
plugins.security.nodes_dn:
  - "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.authcz.admin_dn:
  - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"

plugins.security.audit.type: internal_opensearch
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]

plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [
  .plugins-ml-agent, .plugins-ml-config, .plugins-ml-connector,
  .plugins-ml-controller, .plugins-ml-model-group, .plugins-ml-model,
  .plugins-ml-task, .plugins-ml-conversation-meta, .plugins-ml-conversation-interactions,
  .plugins-ml-memory-meta, .plugins-ml-memory-message, .plugins-ml-stop-words,
  .opendistro-alerting-config, .opendistro-alerting-alert*, .opendistro-anomaly-results*,
  .opendistro-anomaly-detector*, .opendistro-anomaly-checkpoints,
  .opendistro-anomaly-detection-state, .opendistro-reports-*, .opensearch-notifications-*,
  .opensearch-notebooks, .opensearch-observability, .ql-datasources,
  .opendistro-asynchronous-search-response*, .replication-metadata-store,
  .opensearch-knn-models, .geospatial-ip2geo-data*, .plugins-flow-framework-config,
  .plugins-flow-framework-templates, .plugins-flow-framework-state
]

Verify certificate subjects match your configuration:

openssl x509 -in /etc/opensearch/certs/indexer.pem -noout -subject -nameopt RFC2253

Remove demo certificates to avoid security risks:

mkdir -p /etc/opensearch/demo
mv /etc/opensearch/esnode* /etc/opensearch/demo/
mv /etc/opensearch/kirk* /etc/opensearch/demo/
mv /etc/opensearch/root-ca.pem /etc/opensearch/demo/
mv /etc/opensearch/securityadmin_demo.sh /etc/opensearch/demo/

Service Restart and Verification

Restart OpenSearch to apply changes:

systemctl restart opensearch
systemctl status opensearch

Test secure HTTPS endpoint:

curl -X GET https://localhost:9200 -u 'admin:<your-secure-password>' --insecure

Troubleshooting and Monitoring

Log monitoring:

tail -f /var/log/opensearch/opensearch.log

Check service status:

systemctl status opensearch

Verify port binding:

netstat -tlnp | grep :9200

This guide prepares you for a secure, stable OpenSearch deployment integrated within your SIEM environment.

PreviousRequirement

On this page

Introduction Certificate Authority (CA) Setup Creating a Root Certificate Authority Automated Certificate Generation for Wazuh Components OpenSearch Installation and Configuration System Preparation Repository Configuration Initial Verification Security Configuration Network and Cluster Settings SSL/TLS Certificate Deployment Service Restart and Verification Troubleshooting and Monitoring