Install and Enroll Elastic Agents to Fleet Manager in Linux

2
241

This tutorial will take you through how you can install and enroll Elastic agents to Fleet manager in Linux. According to Elastic Fleet and Elastic Agent overview page;

  • Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to each host. A single agent makes it easier and faster to deploy monitoring across your infrastructure. The agent’s single, unified policy makes it easier to add integrations for new data sources.
  • Fleet provides a web-based UI in Kibana to add and manage integrations for popular services and platforms, as well as manage a fleet of Elastic Agents.

Install and Enroll Elastic Agents to Fleet Manager in Linux

Setup Elastic Fleet Server

In our previous tutorial, we learned how to ship logs to ELK stack using Elastic agents. The guide focused on setting up Fleet Server and installing Elastic agent on the Fleet server.

Ship System Logs to ELK Stack using Elastic Agents

Thus, before you can install and enroll Elastic agents to Fleet manager in Linux, you need to have setup the Fleet server as shown in the guide above.

Install Elastic Agent on Remote Hosts to Monitor

In this example setup, we have two remote hosts to monitor; Debian 11 and Rocky Linux systems.

There are various ways in which you can install Elastic agents;

  1. Using Tar archive
  2. Using DEB or RPM binary
  3. Install directly from Elastic repositories.

In Linux systems, it is recommended to install Elastic agent using the TAR archive over system packages (RPM/DEB) as it makes it easy to upgrade the agent in Fleet.

Thus, we will be installing our Elastic agents in Linux using this method.

Download Elastic Agent Tar Archive

Navigate to Elastic Agents downloads page and grab the installer for your respective system architecture.

The command below downloads Elastic Agent v7.16.0 for x86_64 systems;

wget https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-7.16.0-linux-x86_64.tar.gz

Extract the installer

Once download is complete, extract the installer;

tar xzf elastic-agent-7.16.0-linux-x86_64.tar.gz

Add Elastic Agent to Fleet

Next, login back to Kibana and head over to Fleet > Agents > Add agent.

  • Choose the default agent policy already defined
  • Skip the agent installer download as this is already done above.
Install and Enroll Elastic Agents to Fleet Manager in Linux

Enroll Elastic Agent into Fleet Server

Copy the enrollment command and run on the remote host where you are installing the agent.

The command for my case looks like;

sudo ./elastic-agent install --url=https://192.168.58.22:8220 --enrollment-token=RWlxd3FIMEI5V1c4cGdBQ3dPdks6ZFpNTmp3d1BSWUtER0RJYjlwSzQtdw==

On the remote host where you downloaded the Elastic agent installer, navigate to agent installer directory;

cd elastic-agent-7.16.0-linux-x86_64/

Paste the copied agent installation and enrollment command from the Fleet server and execute it within the agent archive directory.

NOTE: if your Fleet server is using TLS certificates, you need to copy the Fleet server CA to some directory on the agent host.

In our agent host, we used /etc/elasticsearch/ca/ca.crt from our Fleet server setup and placed it in the file /etc/ssl/certs/ca.crt.

sudo ./elastic-agent install -f \
--url=https://192.168.58.22:8220 \
--certificate-authorities=/etc/ssl/certs/ca.crt \
--enrollment-token=RWlxd3FIMEI5V1c4cGdBQ3dPdks6ZFpNTmp3d1BSWUtER0RJYjlwSzQtdw==

Sample installation output;

2021-12-12T20:07:06.564+0300	INFO	cmd/enroll_cmd.go:442	Starting enrollment to URL: https://192.168.58.22:8220/
2021-12-12T20:07:11.089+0300	INFO	cmd/enroll_cmd.go:250	Successfully triggered restart on running Elastic Agent.
Successfully enrolled the Elastic Agent.
Elastic Agent has been successfully installed.

You can reuse the same installation command across multiple hosts.

The agent will be installed at /opt/Elastic/Agent and will run as a service.

ls -1 /opt/Elastic/Agent/
data
elastic-agent
elastic-agent-20211212203445
elastic-agent.reference.yml
elastic-agent.yml
elastic-agent.yml.2021-12-12T20-34-44.0411.bak
fleet.yml
fleet.yml.lock
LICENSE.txt
NOTICE.txt
README.md

Checking the status of the Elastic agent;

systemctl status elastic-agent
● elastic-agent.service - Elastic Agent is a unified agent to observe, monitor and protect your system.
   Loaded: loaded (/etc/systemd/system/elastic-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2021-12-12 20:34:39 EAT; 1min 55s ago
 Main PID: 5825 (elastic-agent)
    Tasks: 10 (limit: 11388)
   Memory: 43.8M
   CGroup: /system.slice/elastic-agent.service
           └─5825 elastic-agent

Dec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.974+0300        INFO        [api]        api/server.go:64        Metrics endpoint listening on: /opt/Elasti>
Dec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.975+0300        INFO        application/local_mode.go:178        Agent is stopped
Dec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.975+0300        INFO        application/periodic.go:79        Configuration changes detected
Dec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.980+0300        INFO        stateresolver/stateresolver.go:48        New State ID is aqYAlQPW
Dec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.981+0300        INFO        stateresolver/stateresolver.go:49        Converging state requires execution of>
Dec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.091+0300        INFO        operation/operator.go:216        waiting for installer of pipeline 'default' to>
Dec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.350+0300        INFO        application/periodic.go:101        No configuration change
Dec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.350+0300        INFO        process/app.go:176        Signaling application to stop because of shutdown: me>
Dec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.357+0300        INFO        stateresolver/stateresolver.go:48        New State ID is aqYAlQPW
Dec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.695+0300        INFO        stateresolver/stateresolver.go:49        Converging state requires execution 

Stop the agent;

systemctl stop elastic-agent

Configure Elasticsearch – Elastic Agent TLS connection

If Elasticsearch is running on HTTP, the command above should just work and the agent should start sending logs immediately to the server.

However, if you setup Elasticsearch with TLS as we did in our guide above while setting up Fleet server, then you need to configure Elastic agent Filebeat and Metricbeat to connect to Elasticsearch via an encrypted and authenticated channel.

Therefore, copy the Elasticsearch CA to the agent host.

In our Fleet server setup, the cert is /etc/elasticsearch/kifarunix-demo-fleet-server/kifarunix-demo-fleet-server.crt.

Hence, we copied and placed it on the agent host under, /etc/ssl/certs/kifarunix-demo-fleet-server.crt.

Edit both Elastic agent Filebeat and Metricbeat configuration files and;

  1. Set the IP address of Elasticsearch (localhost by default).
  2. Specify protocol (https) and the path to Elasticsearch CA cert if using HTTPS protocol
  3. Set the authenticating username and credentials (You can create separate user and roles for this purpose. But in this demo setup, we used default Elastic user credentials. NOTE that ir is not recommended to use the superuser elastic).

Update Filebeat configs;

vim /opt/Elastic/Agent/data/elastic-agent-4bcd95/install/filebeat-7.16.0-linux-x86_64/filebeat.yml

Update Elasticsearch output configs;

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.58.22:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  ssl.certificate_authorities: ["/etc/ssl/certs/kifarunix-demo-fleet-server.crt"]

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "WSZdCjtgn9c8Pphd4St4"

Similarly, update the Metricbeat configs just like above;

vim /opt/Elastic/Agent/data/elastic-agent-4bcd95/install/metricbeat-7.16.0-linux-x86_64/metricbeat.yml
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.58.22:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  ssl.certificate_authorities: ["/etc/ssl/certs/kifarunix-demo-fleet-server.crt"]

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "WSZdCjtgn9c8Pphd4St4"

Start Elastic Agent

systemctl start elastic-agent

Verify Elastic Agent Enrollment

The Elastic agents have now been installed and enrolled to the Fleet Server. Check on the Fleet UI;

Agent status should at least be Healthy.

Install and Enroll Elastic Agents to Fleet Manager in Linux

Click on the agent to view details.

Install and Enroll Elastic Agents to Fleet Manager in Linux

Sample dashboards.

Install and Enroll Elastic Agents to Fleet Manager in Linux

You can filter for specific host using the respective filters on the search bar.

And that concludes our guide on how to install and enroll Elastic agents to Fleet Manager in Linux.

Also see how you can enroll and monitor Windows systems using Elastic Osquery Manager;

Monitor Windows Systems using Elastic Osquery Manager

Reference

Install Elastic Agent

Other Tutorials

Integrate Wazuh Manager with ELK Stack

Configure ELK Stack Alerting with ElastAlert

Monitor Linux System Metrics with ELK Stack

2 COMMENTS

  1. Wow wow

    This is am awesome articles on spinning up elastic stack cluster. After struggling to get my elasticsearch 7.17.1 cluster right for more than 2 weeks, I found this blog and followed it carefully and all now is working.
    Keep on doing great job.
    Thank you so much

LEAVE A REPLY

Please enter your comment!
Please enter your name here