000037380 - How to install and configure Elasticsearch with RSA Archer 6.5 and 6.6.x

Document created by RSA Customer Support Employee on May 1, 2019Last modified by RSA Customer Support Employee on May 1, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000037380
Applies ToRSA Product Set: Archer
RSA Product/Service Type: Searching, Indexing, Platform, Archer Control Panel
RSA Version/Condition: 6.5, 6.6.x
Platform:  Elasticsearch
IssueRSA Archer 6.5 and 6.6 introduce support for Elasticsearch.  The intent of this guide is to provide some instructions for setting up Elasticsearch with Archer. 
Resolution

Install Elasticsearch



  1. First, install Elasticsearch.  Downloads links are included in the Notes section below. 
    1. For Locations, it is fine to take the default directory options.  Click Next when done.

User-added image


  1. For Services it is fine to take the default options.  Click Next when done.

User-added image


  1. For Configuration, change the Network Host address to match the IP that external connections will be made over, then click Next when done. 

User-added image


  1. Under Plugins, you can take the defaults, then click Next when done.

User-added image


  1. For X-Pack, once again, it is fine to take the defaults.  Click Install when ready.

User-added image


  1. At this screen the install is complete.

User-added image


Verify the install



  1. Verify the Elasticsearch service is started in Windows services.   

User-added image


  1. Verify the install by connecting to the server with a web browser or by using the Chrome plugin, Elasticsearch Head.  This shows much more info about the server, including cluster health.

User-added image

User-added image



Add the job-search plugin



  1. Install the join-search-plugin, which can be found in the tools folder of your RSA Archer install.

User-added image

 

  1. Copy it to every node of your Elasticsearch server and install it as follows.


C:\Program Files\Elastic\Elasticsearch\6.6.1\bin>elasticsearch-plugin install "file:///C:\Users\Administrator\Downloads\join-search-plugin-6.6.1.zip"
-> Downloading file:///C:\Users\Administrator\Downloads\join-search-plugin-6.6.1.zip
[=================================================] 100% 
-> Installed join-search-plugin



Configure RSA Archer to use Elasticsearch



  1. Now it is time to configure RSA Archer to use Elasticsearch.  Open up the Archer Control Panel and go to the Installation Settings General tab and scroll down to the Elasticsearch section.

User-added image


  1. Check the Enable Elasticsearch box, then type in the Cluster Name in the Cluster Name field, then click Add New.  The URL will to be the same as what was used to connect using the browser. 

User-added image
 


  1. Click OK, then click on the blue + to add this as a cluster.  It will now appear in the dropdown.

User-added image


  1. Click the Test Availability link.  You should see a success message:

User-added image

 

A failure comes with an error popup.  If you don't see that, then make sure your ACP window is maximized, otherwise it can get dropped due to browser scaling issues.  Also, check for any firewalls between the Elasticsearch Server and Archer.  The log file has index in the name and is in the log folder defined in the ACP.


 

  1. Save the configuration changes and go to the General tab in your Archer instance.  Scroll down to the Search Index  section.

User-added image


  1. Next to Elasticsearch, check the box labeled Check this flag to use Elasticsearch as a search data source.
  2. Select the Indexing Server from the dropdown and the cluster you just added. This indexing server will be the server running the Archer Indexing Service, not the Elasticsearch server.
  3. Check the Enable Authentication box only if you are securing your Elasticsearch Cluster with something like X-pack or Search Guard.  Out of the box, it is not enabled and it is not required here.

User-added image


  1. Click Save and you will be prompted to rebuild the index.   

User-added image


 


  1. Press the Rebuild Elasticsearch index button which is located in the top right hand corner of the screen.

User-added image

Read the popup message and click yes to continue
 


User-added image

Click the report link to the right of the Rebuild Elasticsearch Index button to see the progress.

User-added image


User-added image
 



Hit Refresh to update the progress.  Once the rebuild shows completed you are done.
 


User-added image


  1.  You can also use Elasticsearch Head to view the Indexes.

User-added image
Notes
  • RSA Archer follows a bring-your-own model for Elasticsearch, meaning that we support integrating with the Elasticsearch deployment you already have.  We do work with the basic (free) license and the intent of this guide is not to replace any documentation, guidance or support provided by the Elastic.
  • RSA Archer 6.5 supports Elasticsearch version 6.2.4 and RSA Archer 6.6 supports 6.6.1 The plugin provided for each will only work with that specific version.
  • Cloud-provided Elasticsearch services are not supported at this time.
  • Elasticsearch does not require authentication for connections by default and RSA Archer does not require it.  X-Pack Security from Elastic and Search-Guard are possible solutions.  
  • Elasticsearch hardware recommendations should be followed strictly.  Records are added to a queue in batches of 100 and pulled from the queue to be indexed.  There is a 1,000 record cap to the queue and if the indexing rate is insufficient the overflow records will be rejected, which will show up as errors in the logs and the index rebuild report.  The system does keep track of records that are not indexed and will retry them at the end, but the errors could raise questions, especially during the initial index build.
  • The steps in this guide are for RSA Archer 6.6, but will be very similar for 6.5.   The Windows version was used in these examples.  Please consult with Elastic for detailed instructions.

Attachments

    Outcomes