Installation

The Energylogserver installer is delivered as:

  • RPM packages: energylogserver-data-node and energylogserver-client-node

  • Installation script: install.sh

  • Container images for Docker deployment

  • Helm charts for Kubernetes deployment

Prerequisites and Environment Preparation

Before beginning installation, prepare your system environment.

System Requirements Check

Verify your system meets minimum requirements:

# Check CPU cores
nproc

# Check available memory
free -h

# Check disk space
df -h

System Configuration

Configure system limits and kernel parameters:

# Verify critical settings
sysctl vm.max_map_count  # Should be >= 262144
ulimit -n                 # Should be >= 65536

Download Installation Packages

Download and verify Energylogserver packages before installation.

Installation Methods

Interactive Installation using “install.sh”

Energylogserver comes with a simple installation script called install.sh. It is designed to facilitate the installation and deployment process within 1 hour. After executing the script, it will detect the supported distribution and ask about the components to install. The script is located in the install directory.

Installation process:

  1. Unpack the archive containing the installer:

tar xjf energylogserver-7.8.0.x86_64.tar.bz2

  1. Unpack the archive containing the SIEM installer (only in SIEM plan):

tar xjf energylogserver-siem-plan-7.8.0.x86_64.tar.bz2

  1. Copy license to installation directory:

cp es_*.* install/

  1. Navigate to the installation directory and run installation script:

cd install
./install.sh -i

During interactive installation you will be asked about:

  • Install & configure Network Probe with custom Energylogserver Configuration - including Beats, Syslog, Blacklist, Netflow, Winrm, Logtrail, OP5, etc.

  • Install the ELS Client Node, as well as other client-node dependencies

  • Install the ELS Data Node, as well as other data-node dependencies

  • Load the Energylogserver custom dashboards, alerts and configurations

Non-interactive Installation Mode using “install.sh”

With the help of the install.sh script, installation is possible without questions requiring user interaction, which is helpful for automatic deployment. In this case, you should provide options specifying which components (e.g., data node, client node) should be installed.

Examples:

  • Install only data node components:

  ./install.sh -n -d

  • Install both data and client node components:

  ./install.sh -n -c -d

Installation Verification

Check Cluster/Indices Status and ELS Data Node Information

Verify installation by checking the status of ELS Data Node:

  curl -s -u $CREDENTIAL localhost:9200/_cluster/health?pretty

Expected response showing cluster health:

  {
    "cluster_name" : "logserver",
    "status" : "green",
    "timed_out" : false,
    "number_of_nodes" : 1,
    "number_of_data_nodes" : 1,
    "active_primary_shards" : 25,
    "active_shards" : 25,
    "relocating_shards" : 0,
    "initializing_shards" : 0,
    "unassigned_shards" : 0,
    "delayed_unassigned_shards" : 0,
    "number_of_pending_tasks" : 0,
    "number_of_in_flight_fetch" : 0,
    "task_max_waiting_in_queue_millis" : 0,
    "active_shards_percent_as_number" : 100.0
  }

Check ELS Data Node details:

  curl -s -u $CREDENTIAL localhost:9200

If everything went correctly, you should see 100% allocated shards in cluster health.

Post Installation Configuration

Configure ELS Data Node Cluster Settings

Edit the main configuration file:

  vi /etc/logserver/logserver.yml

Add all IPs of ELS Data Nodes in the discovery directive:

  discovery.seed_hosts: ["172.10.0.1:9300", "172.10.0.2:9300"]

Start Services

Start all Energylogserver services:

  # Start ELS Data Node service
  systemctl start logserver
  # Start Network Probe service
  systemctl start logserver-probe
  # Start Cerebro service
  systemctl start cerebro
  # Start ELS Console service
  systemctl start logserver-gui
  # Start Alert service
  systemctl start alert
  # Start Skimmer service
  systemctl start skimmer

Configure Data Sources and Agents

Example agent configuration files and additional documentation are located in the Agents UI module:

  • Filebeat - Log file shipping

  • Winlogbeat - Windows event log shipping

  • Metricbeat - System and service metrics

  • Packetbeat - Network packet analysis

  • OP5 Naemon logs - OP5 monitoring integration

  • OP5 performance data - OP5 metrics integration

SIEM Agents Configuration

Configure SIEM agents for security event collection:

Agent Connection Ports

  • Port 1514 (TCP) - Primary agent connection service

  • Port 1514 (UDP) - Optional agent connection service (disabled by default)

  • Port 1515 (TCP) - Agent enrollment service

  • Port 1516 (TCP) - SIEM cluster daemon communication

  • Port 55000 (TCP) - SIEM server RESTful API

Agent Installation

  1. Download SIEM agent package for target operating system

  2. Install agent using system package manager

  3. Configure agent to connect to SIEM service

  4. Enroll agent using port 1515

  5. Verify connectivity through port 1514

Blacklist and Threat Intelligence Setup

Configure automated threat intelligence updates for enhanced security monitoring.

Blacklist Creation Methods

  1. Crontab scheduling - Traditional cron-based updates

  2. ELS Console scheduler - GUI-based scheduling

  3. Network Probe input - Preferred method for real-time updates

Instructions for Network Probe setup: Network Probe Installation

Scheduling Bad IP Lists Update

Requirements:

  • Energylogserver or newer

  • Credentials configured in scripts: misp_threat_lists.sh

Option 1: Cron scheduling (host with Network Probe installed)

# Add to /etc/crontab
0 2 * * * user /etc/logserver-probe/lists/bin/misp_threat_lists.sh

Option 2: ELS Console Scheduler (only if Network Probe runs on same host) Prepare script path:

/bin/ln -sfn /etc/logserver-probe/lists/bin /opt/ai/bin/lists
chown user:group /etc/logserver-probe/lists/
chmod g+w /etc/logserver-probe/lists/

Configure in ELS Console Scheduler app:

  • Name: MispThreatList

  • Cron pattern: 0 2 * * *

  • Command: lists/misp_threat_lists.sh

  • Category: network-probe

Verify blacklists index creation:

curl -sS -u logserver:logserver -XGET '127.0.0.1:9200/_cat/indices/.blacklists?s=index&v'

Initial Configuration and First Use

After successful installation, complete the initial setup.

Access ELS Console

Open your web browser and navigate to:

https://your-server-ip:5601

Note: Accept the self-signed certificate warning (or configure proper SSL certificates).

First Login and Security

  1. Login with default credentials (provided during installation)

  2. Change default password immediately - Navigate to User Management

  3. Configure additional admin users if needed

  4. Review security settings in System Configuration

Configure First Data Source

Set up your first log source to verify data ingestion:

  1. Navigate to Data Sources or Integrations

  2. Select appropriate data source type (Filebeat, Winlogbeat, etc.)

  3. Follow configuration wizard

  4. Deploy agent to target system

  5. Start agent service

Verify Data Ingestion

Confirm that data is flowing into Energylogserver:

# Check if data is being indexed
curl -s -u $CREDENTIAL localhost:9200/_cat/indices?v

# View recent documents
curl -s -u $CREDENTIAL localhost:9200/*/_search?size=5&pretty

In the ELS Console:

  1. Go to Discover section

  2. Select appropriate index pattern

  3. Verify that recent logs are visible

  4. Explore pre-built dashboards