{"id":11116,"date":"2021-12-12T01:36:20","date_gmt":"2021-12-11T22:36:20","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11116"},"modified":"2024-03-18T07:45:56","modified_gmt":"2024-03-18T04:45:56","slug":"ship-system-logs-to-elk-stack-using-elastic-agents","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/ship-system-logs-to-elk-stack-using-elastic-agents\/","title":{"rendered":"Ship System Logs to ELK Stack using Elastic Agents"},"content":{"rendered":"\n<p>This tutorial will take you through how to ship system logs to ELK stack using Elastic Agents. You might be so used to using Elastic beats such as Filebeat, metricsbeat, Winlogbeat etc. to ship log from your end points to ELK for visualization. However, Elastic has announced the general availability Elastic Agents. <em><a href=\"https:\/\/www.elastic.co\/guide\/en\/fleet\/current\/beats-agent-comparison.html#additional-capabilities-beats-and-agent\" target=\"_blank\" rel=\"noreferrer noopener\">Elastic Agent<\/a> is a single, unified agent that you deploy to hosts or containers to collect data and send it to the Elastic Stack. Behind the scenes, Elastic Agent runs the Beats shippers or Elastic Endpoint required for your configuration<\/em>.<\/p>\n\n\n\n<p>Read more about the capabilities of both the <a href=\"https:\/\/www.elastic.co\/guide\/en\/fleet\/current\/beats-agent-comparison.html#additional-capabilities-beats-and-agent\" target=\"_blank\" rel=\"noreferrer noopener\">Elastic Beats and Elastic Agents<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Shipping System Logs to ELK Stack with Elastic Agents<\/h2>\n\n\n\n<p>In order to collect and forward system logs to ELK stack using Elastic Agents, you need to deploy the Elastic agents.<\/p>\n\n\n\n<p>There are multiple ways in which Elastic agents can be deployed;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Install and manage Elastic Agent using Kibana Fleet UI<\/strong>: This method enables you install the agent on each monitored host and manage its lifecycle and policy\/configuration central point in Kibana Fleet UI. <em>This is, as of this writing, the recommended way to deploy Elastic Agents<\/em>.<\/li>\n\n\n\n<li><strong>Standalone mode<\/strong>: With this method, you install the agent on each monitored host and once installed, all configuration is applied to the Elastic Agent manually.<\/li>\n\n\n\n<li><strong>Install Elastic Agent in a containerized environment<\/strong><\/li>\n<\/ul>\n\n\n\n<p>So, in this setup, we will deploy Elastic agents using the recommended method.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install and manage Elastic Agents using Kibana Fleet UI<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">1. Install and Setup Elastic Stack<\/h4>\n\n\n\n<p>To begin with, you need to be having a running Elastic stack. You can follow the tutorials below to install Elastic stack;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elk-stack-on-debian-11\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ELK Stack on Debian 11<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elk-stack-on-rocky-linux-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ELK Stack on Rocky Linux 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elastic-elk-stack-on-ubuntu-20-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install ELK Stack on Ubuntu 20.04<\/a><\/p>\n\n\n\n<p>In our setup, we are running ELK stack v 7.16.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">2. Configure Basic Security for Elastic Stack<\/h4>\n\n\n\n<p>Next, you need to configure a secure and encrypted connections in Elastic stack.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stop Kibana and Elasticsearch<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl stop elasticsearch kibana<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enabling some of the Elasticsearch security features by running the command below. Run this command on each Elasticsearch node.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>echo -e \"xpack.security.enabled: true\\nxpack.security.authc.api_key.enabled: true\" &gt;&gt; \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<p>Next, start Elasticsearch;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl start elasticsearch<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create passwords for Elastic stack built-in users<\/li>\n<\/ul>\n\n\n\n<p>Use either command, <code><strong>\/usr\/share\/elasticsearch\/bin\/elasticsearch-setup-passwords<\/strong><\/code>, to generate the password.<\/p>\n\n\n\n<p>See how to use the command by passing <code>-h<\/code> option.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-setup-passwords -h<\/code><\/pre>\n\n\n\n<p>To Uses randomly generated passwords, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"y\" | \/usr\/share\/elasticsearch\/bin\/elasticsearch-setup-passwords auto<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.\nThe passwords will be randomly generated and printed to the console.\n\n\nChanged password for user apm_system\nPASSWORD apm_system = 0ULOnDiadDDpLehYPDI3\n\nChanged password for user kibana_system\nPASSWORD kibana_system = 1LaDy3SBeDRKhvXpZG1A\n\nChanged password for user kibana\nPASSWORD kibana = 1LaDy3SBeDRKhvXpZG1A\n\nChanged password for user logstash_system\nPASSWORD logstash_system = YHvf3EtvaIrcX4xSrIoK\n\nChanged password for user beats_system\nPASSWORD beats_system = mw4LN3BurdA3qwrDMk4P\n\nChanged password for user remote_monitoring_user\nPASSWORD remote_monitoring_user = XpRuM8iFlXJWMj3HP97J\n\nChanged password for user elastic\nPASSWORD elastic = WSZdCjtgn9c8Pphd4St4\n<\/code><\/pre>\n\n\n\n<p>For now, we are only interested in passwords for the users: <strong><code>elastic<\/code><\/strong> and <strong><code>kibana_system<\/code><\/strong>.<\/p>\n\n\n\n<p>Be sure to save all these passwords as they are needed to be used later.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable Authenticated connection between Kibana and Elasticsearch<\/li>\n<\/ul>\n\n\n\n<p>When Elastic security features are enabled, Kibana has to connect to Elasticsearch using valid credentials.<\/p>\n\n\n\n<p>In this case, it uses the username <strong><code>kibana_system<\/code><\/strong> and its password from the command output above, <strong><code>1LaDy3SBeDRKhvXpZG1A<\/code><\/strong>.<\/p>\n\n\n\n<p>Add the username password to Kibana keystore instead of plain text in the configuration file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/kibana\/bin\/kibana-keystore create<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/kibana\/bin\/kibana-keystore add elasticsearch.password<\/code><\/pre>\n\n\n\n<p>When prompted, enter the password for <strong><code>kibana_system<\/code><\/strong> user.<\/p>\n\n\n\n<p>Next, define the Kibana username by uncommenting the line, <strong><code>elasticsearch.username<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/\\.username\/s\/^#\/\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define Kibana saved objects encryption key value, <code>xpack.encryptedSavedObjects.encryptionKey: <strong>value<\/strong><\/code>. This is required by the Fleet <em>to save API keys and encrypt them in Kibana<\/em>.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/kibana\/bin\/kibana-encryption-keys generate -q<\/code><\/pre>\n\n\n\n<p>This commands generates a number of encryption keys. We only need <span style=\"background-color: rgb(241, 241, 241); font-family: monospace; font-size: inherit; color: initial;\">xpack.encryptedSavedObjects.encryptionKey<\/span><\/p>\n\n\n\n<p>Add the line into kibana.yml config;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"xpack.encryptedSavedObjects.encryptionKey: f5021271183cff711f40f41686bb1a46\" &gt;&gt; \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restart Kibana<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl start kibana<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Log in to Kibana as the&nbsp;<code>elastic<\/code>&nbsp;user<\/li>\n<\/ul>\n\n\n\n<p>Kibana now prompts to username\/password to allow you login. Use the <code>elastic<\/code> user and its password generated above.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1028\" height=\"685\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/kibana-login.png\" alt=\"\" class=\"wp-image-11117\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/kibana-login.png?v=1639211270 1028w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/kibana-login-768x512.png?v=1639211270 768w\" sizes=\"(max-width: 1028px) 100vw, 1028px\" \/><\/figure><\/div>\n\n\n<h4 class=\"wp-block-heading\">3. Setup Elastic Fleet<\/h4>\n\n\n\n<p>Once logged into Kibana, navigate to menu &gt; Management &gt; Fleet.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1328\" height=\"810\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-menu.png\" alt=\"Ship System Logs to ELK Stack using Elastic Agents\" class=\"wp-image-11129\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-menu.png?v=1639260628 1328w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-menu-768x468.png?v=1639260628 768w\" sizes=\"(max-width: 1328px) 100vw, 1328px\" \/><\/figure>\n\n\n\n<p>When you click on Fleet, the Fleet configuration interface opens up. It takes a while to load fully, for the first time.<\/p>\n\n\n\n<p>Ensure that your Kibana server has <strong>internet connection<\/strong> as it requires to download and install integration packages from the Elastic Package Registry.<\/p>\n\n\n\n<p>Once it loads, this is how it looks;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1902\" height=\"819\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-ui.png\" alt=\"\" class=\"wp-image-11128\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-ui.png?v=1639260583 1902w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-ui-768x331.png?v=1639260583 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-ui-1536x661.png?v=1639260583 1536w\" sizes=\"(max-width: 1902px) 100vw, 1902px\" \/><\/figure>\n\n\n\n<p>Click on <strong>Fleet Settings<\/strong> at the top right corner and;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define the Fleet Server URL. By default, Fleet server listens on port <strong>8220\/tcp<\/strong>. The agents will connect to the Fleet server using this URL.<\/li>\n\n\n\n<li>Define Elasticsearch output URL. The agents will ship logs to Elasticsearch via this URL.<\/li>\n\n\n\n<li><strong>NOTE<\/strong> the use of <strong>HTTPS<\/strong> in the url. We will configure Fleet server in production mode and hence we will generate our own TLS certificates.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1706\" height=\"864\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-server-elk-url.png\" alt=\"\" class=\"wp-image-11130\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-server-elk-url.png?v=1639260677 1706w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-server-elk-url-768x389.png?v=1639260677 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-server-elk-url-1536x778.png?v=1639260677 1536w\" sizes=\"(max-width: 1706px) 100vw, 1706px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span style=\"color: initial;\">Click <\/span><strong style=\"color: initial;\">Save and Apply the settings<\/strong><span style=\"color: initial;\"> to save the changes.<\/span><\/li>\n\n\n\n<li>Ensure these ports are opened on the firewall to allow remote agents to connect.<\/li>\n<\/ul>\n\n\n\n<p>Next, add a Fleet Server. <em>Fleet server is required before you can enroll agents with Fleet<\/em>.<\/p>\n\n\n\n<p>To add a Fleet server;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate to <strong>Agents<\/strong> tab on Fleet interface<\/li>\n\n\n\n<li>Choose an <strong>Agent policy<\/strong>. We will go with the default Policy.<\/li>\n\n\n\n<li>Download and install Fleet server Elastic agent.<\/li>\n<\/ul>\n\n\n\n<p>By Clicking on the download link provided, you are taken to a web page where you can download the Fleet server Elastic agent installer.<\/p>\n\n\n\n<p>In my current setup, ELK stack is running on Debian 11. Hence, we use the DEB binary installer;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/artifacts.elastic.co\/downloads\/beats\/elastic-agent\/elastic-agent-7.16.0-amd64.deb\napt install .\/elastic-agent-7.16.0-amd64.deb<\/code><\/pre>\n\n\n\n<p>If you have Elastic repos in place, you should be able to install straight from those repos;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install elastic-agent -y<\/code><\/pre>\n\n\n\n<p><strong>The method of installation will determine how you start the fleet server.<\/strong> If you used the TAR file, you can start the Fleet server from the archive with the command <code>.\/elastic-agent install...<\/code> If you used DEB or RPM binary or installed from repos, then start fleet server using <code>elastic-agent enroll...<\/code> command.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose a deployment mode for security.<\/li>\n<\/ul>\n\n\n\n<p>In this setup, we will use <strong>production<\/strong> setup. Hence, we need to generate the TLS certs.<\/p>\n\n\n\n<p>Generate a CA.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil ca --pem --out \/etc\/elasticsearch\/elastic-stack-ca.zip --days 3650<\/code><\/pre>\n\n\n\n<p>A zip file with CA is placed under <code>\/etc\/elasticsearch\/elastic-stack-ca.zip<\/code>.<\/p>\n\n\n\n<p>Navigate to this directory and extract the CA;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/elasticsearch\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>unzip elastic-stack-ca.zip<\/code><\/pre>\n\n\n\n<p>You now have a directory called ca, with your CA cert and key;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 $PWD\/ca\/*<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/elasticsearch\/ca\/ca.crt\n\/etc\/elasticsearch\/ca\/ca.key<\/code><\/pre>\n\n\n\n<p>Next, generate certificates using the CA above. <em>The command prompts to enter the name of the zip file to stop certs. Press enter to go with default.<\/em><\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil cert \\\n--name kifarunix-demo-fleet-server \\\n--ca-cert \/etc\/elasticsearch\/ca\/ca.crt \\\n--ca-key \/etc\/elasticsearch\/ca\/ca.key \\\n--dns elk.kifarunix-demo.com \\\n--ip 192.168.58.22 \\\n--days 3650 \\\n--out \/etc\/elasticsearch\/certificate-bundle.zip \\\n--pem\n<\/code><\/pre>\n\n\n\n<p>Extract the certs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>unzip certificate-bundle.zip<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 $PWD\/kifarunix-demo-fleet-server\/*<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/elasticsearch\/kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.crt\n\/etc\/elasticsearch\/kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.key<\/code><\/pre>\n\n\n\n<p>Next, enable Elasticsearch HTTPS connection;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat >> \/etc\/elasticsearch\/elasticsearch.yml << 'EOL'\nxpack.security.http.ssl.verification_mode: certificate\nxpack.security.http.ssl.key: kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.key\nxpack.security.http.ssl.certificate: kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.crt\nxpack.security.http.ssl.certificate_authorities: ca\/ca.crt\nEOL\n<\/code><\/pre>\n\n\n\n<p>Restart Elasticsearch;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl stop elasticsearch<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl start elasticsearch<\/code><\/pre>\n\n\n\n<p>Enable Kibana Elasticsearch HTTPS connection as well;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cp \/etc\/elasticsearch\/ca\/ca.crt \/etc\/kibana\/<\/code><\/pre>\n\n\n\n<p>Update the path to the CA cert.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/elasticsearch.ssl.certificateAuthorities:\/s\/^#\/\/;\/elasticsearch.ssl.certificateAuthorities:\/s\/\".*.\"\/\\\/etc\\\/kibana\\\/ca.crt\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<p>Set the Elasticsearch URL to https;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sed -i '\/:9200\/s\/http\/https\/' \/etc\/kibana\/kibana.yml<\/code><\/pre>\n\n\n\n<p>Start and Stop Kibana;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl stop kibana<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl start kibana<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add the Fleet Server host and set the Elasticsearch TLS certificates<\/li>\n<\/ul>\n\n\n\n<p>Once Elasticsearch and Kibana are up, login back to Kibana and define the IP address of the Fleet server host. <strong>NOTE<\/strong> <em>if you already added the Fleet server above, skip this step.<\/em><\/p>\n\n\n\n<p>Next, click <strong>Fleet Settings<\/strong> and add the TLS certificates generated above under <strong>Elasticsearch output configuration (YAML)<\/strong>. See screenshot below;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1688\" height=\"616\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-elasticsearch-ca-cert.png\" alt=\"\" class=\"wp-image-11131\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-elasticsearch-ca-cert.png?v=1639260885 1688w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-elasticsearch-ca-cert-768x280.png?v=1639260885 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-elasticsearch-ca-cert-1536x561.png?v=1639260885 1536w\" sizes=\"(max-width: 1688px) 100vw, 1688px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate a service token which allows Fleet Server to write to Elasticsearch;<\/li>\n<\/ul>\n\n\n\n<p>Sample key;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2MzkyNTMzMjE4ODY6dVloNERYWlVUQVctbHR5VDlNSmNlQQ<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Start Fleet Server<\/li>\n<\/ul>\n\n\n\n<p>If you downloaded the TAR of the Elastic Agent, extract and run the command below from within the Elastic agent archive folder;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>cd elastic-agent-7.16.0-linux-x86_64\/\nsudo .\/elastic-agent install -f --url=https:\/\/192.168.58.22:8220 \\\n  --fleet-server-es=https:\/\/192.168.58.22:9200 \\\n  --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2MzkyNTY0MTk5NDg6NjJOR1hua0xRcXFpb2J0VmlHWmRGZw \\\n  --fleet-server-policy=7ffb6ea0-5a5f-11ec-a136-bbf180de0c1d \\\n  --certificate-authorities=\/etc\/elasticsearch\/ca\/ca.crt \\\n  --fleet-server-es-ca=\/etc\/elasticsearch\/ca\/ca.crt \\\n  --fleet-server-cert=\/etc\/elasticsearch\/kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.crt \\\n  --fleet-server-cert-key=\/etc\/elasticsearch\/kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.key\n<\/code><\/pre>\n\n\n\n<p>If you installed the Elastic agent already using the DEB\/RPM or from the Elastic repo using the package manager, start the Fleet server using the command;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>sudo elastic-agent enroll -f --url=https:\/\/192.168.58.22:8220 \\\n  --fleet-server-es=https:\/\/192.168.58.22:9200 \\\n  --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2MzkyNTY0MTk5NDg6NjJOR1hua0xRcXFpb2J0VmlHWmRGZw \\\n  --fleet-server-policy=7ffb6ea0-5a5f-11ec-a136-bbf180de0c1d \\\n  --certificate-authorities=\/etc\/elasticsearch\/ca\/ca.crt \\\n  --fleet-server-es-ca=\/etc\/elasticsearch\/ca\/ca.crt \\\n  --fleet-server-cert=\/etc\/elasticsearch\/kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.crt \\\n  --fleet-server-cert-key=\/etc\/elasticsearch\/kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.key\n<\/code><\/pre>\n\n\n\n<p>Sample Agent enrollment output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>2021-12-12T00:00:49.379+0300\tINFO\tcmd\/enroll_cmd.go:555\tSpawning Elastic Agent daemon as a subprocess to complete bootstrap process.\n2021-12-12T00:00:49.561+0300\tINFO\tapplication\/application.go:67\tDetecting execution mode\n2021-12-12T00:00:49.564+0300\tINFO\tapplication\/application.go:88\tAgent is in Fleet Server bootstrap mode\n2021-12-12T00:00:49.799+0300\tINFO\t[api]\tapi\/server.go:62\tStarting stats endpoint\n2021-12-12T00:00:49.799+0300\tINFO\tapplication\/fleet_server_bootstrap.go:130\tAgent is starting\n2021-12-12T00:00:49.800+0300\tINFO\t[api]\tapi\/server.go:64\tMetrics endpoint listening on: \/var\/lib\/elastic-agent\/data\/tmp\/elastic-agent.sock (configured: unix:\/\/\/var\/lib\/elastic-agent\/data\/tmp\/elastic-agent.sock)\n2021-12-12T00:00:49.800+0300\tINFO\tapplication\/fleet_server_bootstrap.go:140\tAgent is stopped\n2021-12-12T00:00:49.802+0300\tINFO\tstateresolver\/stateresolver.go:48\tNew State ID is zS4iwuzb\n2021-12-12T00:00:49.802+0300\tINFO\tstateresolver\/stateresolver.go:49\tConverging state requires execution of 1 step(s)\n2021-12-12T00:00:49.857+0300\tINFO\toperation\/operator.go:284\toperation 'operation-install' skipped for fleet-server.7.16.0\n2021-12-12T00:00:50.028+0300\tINFO\tstateresolver\/stateresolver.go:66\tUpdating internal state\n2021-12-12T00:00:50.028+0300\tINFO\tlog\/reporter.go:40\t2021-12-12T00:00:50+03:00 - message: Application: fleet-server--7.16.0[]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'\n2021-12-12T00:00:50.384+0300\tINFO\tcmd\/enroll_cmd.go:760\tFleet Server - Starting\n2021-12-12T00:00:51.575+0300\tWARN\tstatus\/reporter.go:236\tElastic Agent status changed to: 'degraded'\n2021-12-12T00:00:51.576+0300\tINFO\tlog\/reporter.go:40\t2021-12-12T00:00:51+03:00 - message: Application: fleet-server--7.16.0[]: State changed to DEGRADED: Running on policy with Fleet Server integration: 7ffb6ea0-5a5f-11ec-a136-bbf180de0c1d; missing config fleet.agent.id (expected during bootstrap process) - type: 'STATE' - sub_type: 'RUNNING'\n2021-12-12T00:00:52.386+0300\tINFO\tcmd\/enroll_cmd.go:741\tFleet Server - Running on policy with Fleet Server integration: 7ffb6ea0-5a5f-11ec-a136-bbf180de0c1d; missing config fleet.agent.id (expected during bootstrap process)\n2021-12-12T00:00:53.096+0300\tINFO\tcmd\/enroll_cmd.go:442\tStarting enrollment to URL: https:\/\/192.168.58.22:8220\/\n2021-12-12T00:01:02.899+0300\tINFO\tcmd\/enroll_cmd.go:254\tElastic Agent has been enrolled; start Elastic Agent\nSuccessfully enrolled the Elastic Agent.\n2021-12-12T00:01:02.900+0300\tINFO\tcmd\/run.go:184\tShutting down Elastic Agent and sending last events...\n2021-12-12T00:01:02.900+0300\tINFO\toperation\/operator.go:216\twaiting for installer of pipeline 'default' to finish\n2021-12-12T00:01:02.900+0300\tINFO\tprocess\/app.go:176\tSignaling application to stop because of shutdown: fleet-server--7.16.0\n2021-12-12T00:01:04.431+0300\tINFO\tstatus\/reporter.go:236\tElastic Agent status changed to: 'online'\n2021-12-12T00:01:04.431+0300\tINFO\tlog\/reporter.go:40\t2021-12-12T00:01:04+03:00 - message: Application: fleet-server--7.16.0[]: State changed to STOPPED: Stopped - type: 'STATE' - sub_type: 'STOPPED'\n2021-12-12T00:01:04.431+0300\tINFO\tcmd\/run.go:192\tShutting down completed.\n2021-12-12T00:01:04.432+0300\tINFO\t[api]\tapi\/server.go:66\tStats endpoint (\/var\/lib\/elastic-agent\/data\/tmp\/elastic-agent.sock) finished: accept unix \/var\/lib\/elastic-agent\/data\/tmp\/elastic-agent.sock: use of closed network connection\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Next start and enable Elastic Agent to run on system boot;<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl enable --now elastic-agent<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Navigate back to Kibana Fleet interface and you should that the Fleet server is now connected.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1783\" height=\"867\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/Fleet-server-running.png\" alt=\"\" class=\"wp-image-11132\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/Fleet-server-running.png?v=1639260920 1783w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/Fleet-server-running-768x373.png?v=1639260920 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/Fleet-server-running-1536x747.png?v=1639260920 1536w\" sizes=\"(max-width: 1783px) 100vw, 1783px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Click <strong>Continue<\/strong> to go back to Agents tab. You should see that the Fleet host server Elastic agent is connected and status healthy.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1850\" height=\"636\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-agents.png\" alt=\"\" class=\"wp-image-11133\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-agents.png?v=1639260973 1850w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-agents-768x264.png?v=1639260973 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-agents-1536x528.png?v=1639260973 1536w\" sizes=\"(max-width: 1850px) 100vw, 1850px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Viewing Logs Collected by Elastic Agent on Fleet Manager<\/h3>\n\n\n\n<p>Click on Data streams to view data collected.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1792\" height=\"714\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-data-streams.png\" alt=\"\" class=\"wp-image-11134\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-data-streams.png?v=1639261724 1792w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-data-streams-768x306.png?v=1639261724 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-data-streams-1536x612.png?v=1639261724 1536w\" sizes=\"(max-width: 1792px) 100vw, 1792px\" \/><\/figure>\n\n\n\n<p>You can view dashboards associated with each data set by clicking actions &gt; view dashboards.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1892\" height=\"891\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-host-metrics.png\" alt=\"\" class=\"wp-image-11135\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-host-metrics.png?v=1639261748 1892w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-host-metrics-768x362.png?v=1639261748 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/fleet-host-metrics-1536x723.png?v=1639261748 1536w\" sizes=\"(max-width: 1892px) 100vw, 1892px\" \/><\/figure>\n\n\n\n<p>In our next tutorial, we will learn how to install and enroll remote Elastic agents on Fleet manager.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-enroll-elastic-agents-to-fleet-manager-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Enroll Elastic Agents to Fleet Manager in Linux<\/a><\/p>\n\n\n\n<p>Reference<\/p>\n\n\n\n<p><a href=\"https:\/\/www.elastic.co\/guide\/en\/fleet\/current\/install-fleet-managed-elastic-agent.html\" target=\"_blank\" rel=\"noreferrer noopener\">Setup Fleet Manager on ELK<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/detect-changes-to-critical-files-in-linux-using-auditbeat-and-elk\/\" target=\"_blank\" rel=\"noreferrer noopener\">Detect Changes to Critical Files in Linux using Auditbeat and ELK<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-elk-stack-alerting-with-elastalert\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure ELK Stack Alerting with ElastAlert<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/enable-kibana-https-connection\/\" target=\"_blank\" rel=\"noreferrer noopener\">Quick Way to Enable Kibana HTTPS Connection<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tutorial will take you through how to ship system logs to ELK stack using Elastic Agents. You might be so used to using Elastic<\/p>\n","protected":false},"author":3,"featured_media":11131,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,910,121,34],"tags":[4355,4359,913,4360,4357,4356,4358,4366,4354],"class_list":["post-11116","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-elastic-stack","category-howtos","category-security","tag-configure-fleet-in-elk","tag-elastic-agents","tag-elk","tag-elk-fleet-manager","tag-elk-stack-elastic-agents","tag-elk-stack-fleet-manager","tag-setup-elastic-agents","tag-setup-fleet-server-on-elk","tag-ship-system-logs-to-elk-stack-using-elastic-agents","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11116"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11116"}],"version-history":[{"count":16,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11116\/revisions"}],"predecessor-version":[{"id":21587,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11116\/revisions\/21587"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11131"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11116"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11116"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11116"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}