Installation
The Energy Logserver installer is delivered as:
RPM packages
Installation script:
install.sh
Prerequisites and Environment Preparation
Before beginning installation, prepare your system environment.
System Requirements Check
Verify your system meets minimum requirements:
# Check CPU cores
nproc
# Check available memory
free -h
# Check disk space
df -h
System Configuration
The installer sets these parameters automatically via RPM post-install scripts, but applying them before running install.sh avoids startup failures if the environment is restricted.
Kernel parameters
Check current values:
sysctl vm.max_map_count vm.swappiness net.ipv4.tcp_retries2
Required values:
Parameter |
Required value |
Purpose |
|---|---|---|
|
|
OpenSearch memory-mapped files limit |
|
|
Minimise OS swapping of JVM heap |
|
|
Faster detection of failed cluster connections |
If any value is wrong, apply all three and make them persistent:
cat > /etc/sysctl.d/90-logserver.conf << 'EOF'
vm.max_map_count=262144
vm.swappiness=1
net.ipv4.tcp_retries2=5
EOF
sysctl --system
File descriptor limits
ulimit -n # Required: 262144
If the value is lower, create the limits file:
cat > /etc/security/limits.d/30-logserver.conf << 'EOF'
logserver - memlock unlimited
logserver - nproc unlimited
logserver - nofile 262144
logserver - fsize unlimited
EOF
Log out and back in for the new limits to take effect.
Download Installation Packages
Download Energy Logserver packages from the customer portal or the provided distribution link. Place all RPM packages and the install.sh script in a single directory on the target host.
Installation Methods
Interactive Installation using “install.sh”
Energy Logserver comes with a simple installation script called install.sh. It is designed to facilitate the installation and deployment process. After executing the script, it will detect the supported distribution and ask about the components to install. The script is located in the install directory.
Note
Before running install.sh, make sure you are located in the install directory. Failing to do so will cause the script to fail.
cd install
./install.sh
Installation process:
Unpack the archive containing the installer:
tar xjf energy-logserver-8.0.0.x86_64.tar.bz2
Unpack the archive containing the SIEM installer (only in SIEM plan):
tar xjf energy-logserver-siem-plan-8.0.0.x86_64.tar.bz2
Copy license to installation directory:
cp es_*.* install/
Navigate to the installation directory and run installation script:
cd install
./install.sh -i
During interactive installation you will be asked about:
Install & configure Network Probe with custom Energy Logserver Configuration - including Beats, Syslog, Blacklist, Netflow, Winrm, Logtrail, OP5, etc.
Install the ELS Console, as well as other console dependencies
Install the ELS Data Node, as well as other data-node dependencies
Load the Energy Logserver custom dashboards, alerts and configurations
Non-interactive Installation Mode using “install.sh”
The -n|--noninteractive flag answers “Yes” to every component prompt during installation, installing every available component on the target host. This mode is intended for automated all-in-one deployments:
./install.sh -i -n
Note
Component selection flags (-d, -c, -p, -s) do not restrict the installation when combined with -n — every component prompt is still answered “Yes” regardless of which flags are passed. To install only selected components, run the installer in interactive mode and answer the remaining prompts manually.
Interactive mode with preselected components:
Without -n, component flags preselect the answer for a given component prompt; the installer still asks about the remaining components, where you can decline the ones you do not want:
./install.sh -i -d # ELS Data Node preselected
./install.sh -i -p # Network Probe preselected (standalone sensor deployment)
Multi-node Cluster Installation
This section covers adding a new node to an existing cluster. For a single-node deployment, skip to Installation Verification.
Prerequisites
The first node of the cluster must already be installed and running.
The new node must have the Energy Logserver packages unpacked and the
install.shscript available./etc/logserver-store/logserver.keystoremust be present on the new node before running./install.sh configure. This file is created during the first node’s installation. Copy it from the existing node if it is not present.
Procedure
Run the installer on the new node:
cd install ./install.sh -i
When the installer asks:
====> Is this node a part of an existing cluster? [y/n]
Answer
Y. The installer exits and prompts you to update the node configuration before continuing.Edit the main configuration file:
vi /etc/logserver/logserver.ymlSet the following parameters:
Parameter
Value
cluster.nameSame as the existing cluster
node.nameUnique name for this node
node.mastertrueorfalsenode.datatrueorfalsediscovery.seed_hostsIP addresses and ports of existing cluster nodes, e.g.
["10.0.0.4:9300", "10.0.0.5:9300"]Note
When binding
network.hostto a specific IP, include127.0.0.1or_local_in the list. Tools such asinstall.shandlogserver-password-util.shconnect tohttp://127.0.0.1:9200and fail with Connection refused if the loopback address is missing.If the new node has the
datarole, clear the data directory before starting:rm -rf /var/lib/logserver/*
Finalize the installation:
cd install ./install.sh configure
This command initializes the node and propagates credentials from the keystore. It requires
/etc/logserver-store/logserver.keystoreto be present.
For node role definitions, naming conventions, and a full configuration example, see Cluster Configuration.
Installation Verification
Note
In the commands below, $CREDENTIAL refers to the logserver user credentials in user:password format. The default credentials are set during installation. To change them, use the logserver-password-util.sh utility described in Post-Installation Steps.
Check Cluster/Indices Status and ELS Data Node Information
Verify installation by checking the status of ELS Data Node:
curl -s -u $CREDENTIAL localhost:9200/_cluster/health?pretty
Expected response showing cluster health:
{
"cluster_name" : "logserver",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 25,
"active_shards" : 25,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Check ELS Data Node details:
curl -s -u $CREDENTIAL localhost:9200
If everything went correctly, you should see 100% allocated shards in cluster health.
Post Installation Configuration
Configure ELS Data Node Cluster Settings
Edit the main configuration file:
vi /etc/logserver/logserver.yml
Add all IPs of ELS Data Nodes in the discovery directive:
discovery.seed_hosts: ["172.10.0.1:9300", "172.10.0.2:9300"]
Note
When binding network.host to a specific IP, include 127.0.0.1 or _local_ in the list:
network.host: ["10.x.x.x", "127.0.0.1"]
Tools such as install.sh and logserver-password-util.sh connect to http://127.0.0.1:9200. Without the loopback address they fail with Connection refused.
Start Services
Start Energy Logserver services. The services are grouped by function.
Core services (all deployments):
systemctl start logserver # ELS Data Node
systemctl start logserver-gui # ELS Console
systemctl start logserver-probe # ELS Network Node (Logstash)
systemctl start license-service # License verification
systemctl start cerebro # Cluster management UI
Security services (SIEM Plan):
systemctl start alert # Alert engine
systemctl start skimmer # Data processing
systemctl start intelligence # Threat intelligence
systemctl start intelligence-scheduler # Scheduled intelligence updates
systemctl start wazuh-manager # SIEM agent management
Optional services:
systemctl start e-doc # Documentation service
systemctl start automation # Task automation
Note
Not all services are required on every node. The install.sh script enables only the services relevant to the selected installation profile. In multi-node deployments, each node runs only its designated services.
Configure Data Sources and Agents
Example agent configuration files and additional documentation are located in the Agents UI module:
Filebeat - Log file shipping
Winlogbeat - Windows event log shipping
Metricbeat - System and service metrics
Packetbeat - Network packet analysis
OP5 Naemon logs - OP5 monitoring integration
OP5 performance data - OP5 metrics integration
SIEM Agents Configuration
Configure SIEM agents for security event collection:
Agent Connection Ports
Port 1514 (TCP) - Primary agent connection service
Port 1514 (UDP) - Optional agent connection service (disabled by default)
Port 1515 (TCP) - Agent enrollment service
Port 1516 (TCP) - SIEM cluster daemon communication
Port 55000 (TCP) - SIEM server RESTful API
Agent Installation
Download SIEM agent package for target operating system
Install agent using system package manager
Configure agent to connect to SIEM service
Enroll agent using port 1515
Verify connectivity through port 1514
Blacklist and Threat Intelligence Setup
Configure automated threat intelligence updates for enhanced security monitoring.
Blacklist Creation Methods
Crontab scheduling - Traditional cron-based updates
ELS Console scheduler - GUI-based scheduling
Network Probe input - Preferred method for real-time updates
Instructions for Network Probe setup: Network Probe Installation
Scheduling Bad IP Lists Update
Requirements:
Credentials configured in scripts:
misp_threat_lists.sh
Option 1: Cron scheduling (host with Network Probe installed)
# Add to /etc/crontab
0 2 * * * user /etc/logserver-probe/lists/bin/misp_threat_lists.sh
Option 2: ELS Console Scheduler (only if Network Probe runs on same host) Prepare script path:
/bin/ln -sfn /etc/logserver-probe/lists/bin /opt/ai/bin/lists
chown <user>:<group> /etc/logserver-probe/lists/ # Replace with appropriate user and group
chmod g+w /etc/logserver-probe/lists/
Configure in ELS Console Scheduler app:
Name: MispThreatList
Cron pattern:
0 2 * * *Command:
lists/misp_threat_lists.shCategory: network-probe
Warning
The credentials shown are default values. Change them immediately after installation.
Verify blacklists index creation:
curl -sS -u $CREDENTIAL -XGET '127.0.0.1:9200/_cat/indices/.blacklists?s=index&v'
Post-Installation Steps
Change Default Credentials
After installation, change the default credentials using the password utility:
/usr/share/elasticsearch/utils/logserver-password-util.sh update_credentials
The utility supports the following commands:
Command |
Description |
|---|---|
|
Change the password for a selected user and update related services |
|
Update service configuration files with credentials from the keystore |
|
List users currently saved in the keystore |
|
Retrieve the password for a single user |
|
Verify stored credentials against the database |
Common options:
Option |
Description |
|---|---|
|
Comma-separated list of users to update (default: all) |
|
Custom directory for the keystore |
|
Custom Logserver database URL (if no local database node) |
|
Skip credential verification against the database |
|
Automatically answer yes to all prompts |
|
Only update configuration files, do not restart services |
|
Print debug messages |
|
Print only error messages |
|
Display help message |
Each system component authenticates to the Logserver database using a dedicated internal account. The password utility manages these credentials — it stores them in a central keystore and propagates changes to the configuration files of the related services.
The following accounts are managed by the utility:
Account |
Related service(s) |
|---|---|
|
logserver-gui, cerebro, skimmer, logserver-probe |
|
alert |
|
e-doc |
|
intelligence, intelligence-scheduler |
|
license-service |
|
logserver-probe |
|
logserver-probe |
Credentials are stored in the keystore at /etc/logserver-store/logserver.keystore.
Warning
Change the default credentials immediately after installation. Default credentials in a production environment pose a security risk.