- First, install Elasticsearch. Downloads links are included in the Notes section below.
- For Locations, it is fine to take the default directory options. Click Next when done.
- For Services, it is fine to take the default options. Click Next when done.
- For Configuration, change the Network Host address to match the IP that external connections will be made over, then click Next when done.
- Under Plugins, you can take the defaults, then click Next when done.
- For X-Pack, once again, it is fine to take the defaults. Click Install when ready.
- At this screen, the install is complete.
Verify the install
- Verify that the Elasticsearch service is started in Windows services.
- Verify the install by connecting to the server with a web browser or by using the Chrome plug-in, Elasticsearch Head. This shows much more info about the server, including cluster health.
Add the job-search plug-in
- Install the join-search-plugin, which can be found in the tools folder of your RSA Archer install.
- Copy it to every node of your Elasticsearch server and install it as follows.
C:\Program Files\Elastic\Elasticsearch\6.6.1\bin>elasticsearch-plugin install "file:///C:\Users\Administrator\Downloads\join-search-plugin-6.6.1.zip"
-> Downloading file:///C:\Users\Administrator\Downloads\join-search-plugin-6.6.1.zip
-> Installed join-search-plugin
Configure RSA Archer to use Elasticsearch
- Now it is time to configure RSA Archer to use Elasticsearch. Open up the Archer Control Panel and go to the Installation Settings > General tab and scroll down to the Elasticsearch section.
- Check the Enable Elasticsearch box, then type in the Cluster Name in the Cluster Name field, then click Add New. The URL will be the same as what was used to connect using the browser.
- Click OK, then click the blue + to add this as a cluster. It will now appear in the dropdown.
- Click the Test Availability link. You should see a success message:
A failure comes with an error popup. If you do not see that, then ensure your ACP window is maximized, otherwise, it can get dropped due to browser scaling issues. Also, check for any firewalls between the Elasticsearch Server and Archer. The log file has index in the name and is in the log folder that is defined in the ACP.
- Save the configuration changes, and go to the General tab in your Archer instance. Scroll down to the Search Index section.
- Next to Elasticsearch, check the box labeled Check this flag to use Elasticsearch as a search data source.
- Select the Indexing Server from the dropdown and the cluster you just added. This indexing server will be the server running the Archer Indexing Service, not the Elasticsearch server.
- Check the Enable Authentication box only if you are securing your Elasticsearch Cluster with something like X-pack or Search Guard. Out of the box, it is not enabled and it is not required here.
- Click Save and you are prompted to rebuild the index.
- Press the Rebuild Elasticsearch index button which is located in the upper right-hand corner of the screen.
Read the popup message and click yes to continue.
Click the report link to the right of the Rebuild Elasticsearch Index button to see the progress.
Hit Refresh to update the progress. Once the rebuild shows completed, you are done.
- You can also use Elasticsearch Head to view the Indexes.
- RSA Archer follows a bring-your-own model for Elasticsearch, meaning that we support integrating with the Elasticsearch deployment you already have. We do work with the basic (free) license and the intent of this guide is not to replace any documentation, guidance, or support provided by the Elastic.
- RSA Archer 6.5 supports Elasticsearch version 6.2.4, RSA Archer 6.6 supports 6.6.1, RSA Archer 6.7 supports 6.8.3. The plug-in provided for each will only work with that specific version.
- Cloud-provided Elasticsearch services are currently not supported.
- Elasticsearch does not require authentication for connections by default, and RSA Archer does not require it. We have validated that Search-Guard does work and is supported. Elastic's X-Pack Security has not been tested and is not currently supported.
- Elasticsearch hardware recommendations should be followed strictly. Records are added to a queue in batches of 100 and pulled from the queue to be indexed. There is a 1,000 record cap to the queue and if the indexing rate is insufficient the overflow records will be rejected, which will show up as errors in the logs and the index rebuild report. The system does keep track of records that are not indexed and will retry them at the end, but the errors could raise questions, especially during the initial index build.
- The steps in this guide are for RSA Archer 6.6, but will be similar for 6.5 and 6.7. The Windows version was used in these examples. Consult with Elastic for detailed instructions.