Installation
The Energy Logserver installer is delivered as:
RPM packages
Installation script:
install.sh
Prerequisites and Environment Preparation
Before beginning installation, prepare your system environment.
System Requirements Check
Verify your system meets minimum requirements:
# Check CPU cores
nproc
# Check available memory
free -h
# Check disk space
df -h
System Configuration
Configure system limits and kernel parameters:
# Verify critical settings
sysctl vm.max_map_count # Should be >= 262144
ulimit -n # Should be >= 65536
Download Installation Packages
Download Energy Logserver packages from the customer portal or the provided distribution link. Place all RPM packages and the install.sh script in a single directory on the target host.
Installation Methods
Interactive Installation using “install.sh”
Energy Logserver comes with a simple installation script called install.sh. It is designed to facilitate the installation and deployment process. After executing the script, it will detect the supported distribution and ask about the components to install. The script is located in the install directory.
Note
Before running install.sh, make sure you are located in the install directory. Failing to do so will cause the script to fail.
cd install
./install.sh
Installation process:
Unpack the archive containing the installer:
tar xjf energylogserver-7.8.0.x86_64.tar.bz2
Unpack the archive containing the SIEM installer (only in SIEM plan):
tar xjf energylogserver-siem-plan-7.8.0.x86_64.tar.bz2
Copy license to installation directory:
cp es_*.* install/
Navigate to the installation directory and run installation script:
cd install
./install.sh -i
During interactive installation you will be asked about:
Install & configure Network Probe with custom Energy Logserver Configuration - including Beats, Syslog, Blacklist, Netflow, Winrm, Logtrail, OP5, etc.
Install the ELS Console, as well as other console dependencies
Install the ELS Data Node, as well as other data-node dependencies
Load the Energy Logserver custom dashboards, alerts and configurations
Non-interactive Installation Mode using “install.sh”
With the help of the install.sh script, installation is possible without questions requiring user interaction, which is helpful for automatic deployment. In this case, you should provide options specifying which components (e.g., data node, ELS Console) should be installed.
Examples:
Install only data node components:
./install.sh -n -d
Install both data node and ELS Console components:
./install.sh -n -c -d
Installation Verification
Note
In the commands below, $CREDENTIAL refers to the logserver user credentials in user:password format. The default credentials are set during installation. To change them, use the logserver-password-util.sh utility described in Post-Installation Steps.
Check Cluster/Indices Status and ELS Data Node Information
Verify installation by checking the status of ELS Data Node:
curl -s -u $CREDENTIAL localhost:9200/_cluster/health?pretty
Expected response showing cluster health:
{
"cluster_name" : "logserver",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 25,
"active_shards" : 25,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
Check ELS Data Node details:
curl -s -u $CREDENTIAL localhost:9200
If everything went correctly, you should see 100% allocated shards in cluster health.
Post Installation Configuration
Configure ELS Data Node Cluster Settings
Edit the main configuration file:
vi /etc/logserver/logserver.yml
Add all IPs of ELS Data Nodes in the discovery directive:
discovery.seed_hosts: ["172.10.0.1:9300", "172.10.0.2:9300"]
Start Services
Start Energy Logserver services. The services are grouped by function.
Core services (all deployments):
systemctl start logserver # ELS Data Node
systemctl start logserver-gui # ELS Console
systemctl start logserver-probe # ELS Network Node (Logstash)
systemctl start license-service # License verification
systemctl start cerebro # Cluster management UI
Security services (SIEM Plan):
systemctl start alert # Alert engine
systemctl start skimmer # Data processing
systemctl start intelligence # Threat intelligence
systemctl start intelligence-scheduler # Scheduled intelligence updates
systemctl start wazuh-manager # SIEM agent management
Optional services:
systemctl start e-doc # Documentation service
systemctl start automation # Task automation
Note
Not all services are required on every node. The install.sh script enables only the services relevant to the selected installation profile. In multi-node deployments, each node runs only its designated services.
Configure Data Sources and Agents
Example agent configuration files and additional documentation are located in the Agents UI module:
Filebeat - Log file shipping
Winlogbeat - Windows event log shipping
Metricbeat - System and service metrics
Packetbeat - Network packet analysis
OP5 Naemon logs - OP5 monitoring integration
OP5 performance data - OP5 metrics integration
SIEM Agents Configuration
Configure SIEM agents for security event collection:
Agent Connection Ports
Port 1514 (TCP) - Primary agent connection service
Port 1514 (UDP) - Optional agent connection service (disabled by default)
Port 1515 (TCP) - Agent enrollment service
Port 1516 (TCP) - SIEM cluster daemon communication
Port 55000 (TCP) - SIEM server RESTful API
Agent Installation
Download SIEM agent package for target operating system
Install agent using system package manager
Configure agent to connect to SIEM service
Enroll agent using port 1515
Verify connectivity through port 1514
Blacklist and Threat Intelligence Setup
Configure automated threat intelligence updates for enhanced security monitoring.
Blacklist Creation Methods
Crontab scheduling - Traditional cron-based updates
ELS Console scheduler - GUI-based scheduling
Network Probe input - Preferred method for real-time updates
Instructions for Network Probe setup: Network Probe Installation
Scheduling Bad IP Lists Update
Requirements:
Credentials configured in scripts:
misp_threat_lists.sh
Option 1: Cron scheduling (host with Network Probe installed)
# Add to /etc/crontab
0 2 * * * user /etc/logserver-probe/lists/bin/misp_threat_lists.sh
Option 2: ELS Console Scheduler (only if Network Probe runs on same host) Prepare script path:
/bin/ln -sfn /etc/logserver-probe/lists/bin /opt/ai/bin/lists
chown <user>:<group> /etc/logserver-probe/lists/ # Replace with appropriate user and group
chmod g+w /etc/logserver-probe/lists/
Configure in ELS Console Scheduler app:
Name: MispThreatList
Cron pattern:
0 2 * * *Command:
lists/misp_threat_lists.shCategory: network-probe
Warning
The credentials shown are default values. Change them immediately after installation.
Verify blacklists index creation:
curl -sS -u $CREDENTIAL -XGET '127.0.0.1:9200/_cat/indices/.blacklists?s=index&v'
Post-Installation Steps
Change Default Credentials
After installation, change the default credentials using the password utility:
/usr/share/logserver/utils/logserver-password-util.sh -s
The utility supports the following commands:
Command |
Description |
|---|---|
|
Set or change a credential |
|
List stored credentials |
|
Delete a credential |
|
Get a credential value |
|
Display help |
Supported credential types: logserver, kibana, scheduler, intelligence, alert, wazuh.
Credentials are stored in the keystore at /etc/logserver-store/logserver.keystore.
Warning
Change the default credentials immediately after installation. Default credentials in a production environment pose a security risk.