{"id":11138,"date":"2021-12-13T20:10:02","date_gmt":"2021-12-13T17:10:02","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11138"},"modified":"2024-03-18T07:44:30","modified_gmt":"2024-03-18T04:44:30","slug":"install-and-enroll-elastic-agents-to-fleet-manager-in-linux","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-enroll-elastic-agents-to-fleet-manager-in-linux\/","title":{"rendered":"Install and Enroll Elastic Agents to Fleet Manager in Linux"},"content":{"rendered":"\n<p>This tutorial will take you through how you can install and enroll Elastic agents to Fleet manager in Linux. According to Elastic <a href=\"https:\/\/www.elastic.co\/guide\/en\/fleet\/current\/fleet-overview.html\" target=\"_blank\" rel=\"noreferrer noopener\">Fleet and Elastic Agent overview page<\/a>;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em><strong>Elastic Agent<\/strong> is a single, unified way to add monitoring for logs, metrics, and other types of data to each host. A single agent makes it easier and faster to deploy monitoring across your infrastructure. The agent\u2019s single, unified policy makes it easier to add integrations for new data sources<\/em>.<\/li>\n\n\n\n<li><em><strong>Fleet<\/strong> provides a web-based UI in Kibana to add and manage integrations for popular services and platforms, as well as manage a fleet of Elastic Agents.<\/em><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install-and-enroll-elastic-agents-to-fleet-manager-in-linux\">Installing Elastic Agents to Fleet Manager in Linux<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"setup-elastic-fleet-server\">Setup Elastic Fleet Server<\/h3>\n\n\n\n<p>In our previous tutorial, we learned how to ship logs to ELK stack using Elastic agents. The guide focused on setting up Fleet Server and installing Elastic agent on the Fleet server.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/ship-system-logs-to-elk-stack-using-elastic-agents\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ship System Logs to ELK Stack using Elastic Agents<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-elastic-agent-on-remote-hosts-to-monitor\">Install Elastic Agent on Remote Hosts to Monitor<\/h3>\n\n\n\n<p>In this example setup, we have two remote hosts to monitor; Debian 11 and Rocky Linux systems.<\/p>\n\n\n\n<p>There are various ways in which you can install Elastic agents;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Using Tar archive<\/li>\n\n\n\n<li>Using DEB or RPM binary<\/li>\n\n\n\n<li>Install directly from Elastic repositories.<\/li>\n<\/ol>\n\n\n\n<p>In Linux systems, it is recommended to install Elastic agent using the TAR archive over system packages (RPM\/DEB) as it makes it easy to upgrade the agent in Fleet.<\/p>\n\n\n\n<p>Thus, we will be installing our Elastic agents in Linux using this method.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"download-elastic-agent-tar-archive\">Download Elastic Agent Tar Archive<\/h4>\n\n\n\n<p>Navigate to <a href=\"https:\/\/www.elastic.co\/downloads\/past-releases\/elastic-agent-7-16-0\" target=\"_blank\" rel=\"noreferrer noopener\">Elastic Agents downloads<\/a> page and grab the installer for your respective system architecture.<\/p>\n\n\n\n<p>The command below downloads Elastic Agent v7.16.0 for x86_64 systems;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget https:\/\/artifacts.elastic.co\/downloads\/beats\/elastic-agent\/elastic-agent-7.16.0-linux-x86_64.tar.gz<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"extract-the-installer\">Extract the installer<\/h4>\n\n\n\n<p>Once download is complete, extract the installer;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tar xzf elastic-agent-7.16.0-linux-x86_64.tar.gz<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"add-elastic-agent-to-fleet\">Add Elastic Agent to Fleet<\/h4>\n\n\n\n<p>Next, login back to Kibana and head over to <strong>Fleet &gt; Agents &gt; Add agent<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose the default agent policy already defined<\/li>\n\n\n\n<li>Skip the agent installer download as this is already done above.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1536\" height=\"859\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/add-fleet-agent.png\" alt=\"Install and Enroll Elastic Agents to Fleet Manager in Linux\" class=\"wp-image-11150\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/add-fleet-agent.png?v=1639413728 1536w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/add-fleet-agent-768x430.png?v=1639413728 768w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"enroll-elastic-agent-into-fleet-server\">Enroll Elastic Agent into Fleet Server<\/h4>\n\n\n\n<p>Copy the enrollment command and run on the remote host where you are installing the agent.<\/p>\n\n\n\n<p>The command for my case looks like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo .\/elastic-agent install --url=https:\/\/192.168.58.22:8220 --enrollment-token=RWlxd3FIMEI5V1c4cGdBQ3dPdks6ZFpNTmp3d1BSWUtER0RJYjlwSzQtdw==<\/code><\/pre>\n\n\n\n<p>On the remote host where you downloaded the Elastic agent installer, navigate to agent installer directory;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd elastic-agent-7.16.0-linux-x86_64\/<\/code><\/pre>\n\n\n\n<p>Paste the copied agent installation and enrollment command from the Fleet server and execute it within the agent archive directory.<\/p>\n\n\n\n<p><strong>NOTE<\/strong>: if your Fleet server is using TLS certificates, you need to copy the Fleet server CA to some directory on the agent host.<\/p>\n\n\n\n<p>In our agent host, we used <strong><code>\/etc\/elasticsearch\/ca\/ca.crt<\/code><\/strong> from our Fleet server setup and placed it in the file <strong><code>\/etc\/ssl\/certs\/ca.crt<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>sudo .\/elastic-agent install -f \\\n--url=https:\/\/192.168.58.22:8220 \\\n--certificate-authorities=\/etc\/ssl\/certs\/ca.crt \\\n--enrollment-token=RWlxd3FIMEI5V1c4cGdBQ3dPdks6ZFpNTmp3d1BSWUtER0RJYjlwSzQtdw==\n<\/code><\/pre>\n\n\n\n<p>Sample installation output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>2021-12-12T20:07:06.564+0300\tINFO\tcmd\/enroll_cmd.go:442\tStarting enrollment to URL: https:\/\/192.168.58.22:8220\/\n2021-12-12T20:07:11.089+0300\tINFO\tcmd\/enroll_cmd.go:250\tSuccessfully triggered restart on running Elastic Agent.\nSuccessfully enrolled the Elastic Agent.\nElastic Agent has been successfully installed.\n<\/code><\/pre>\n\n\n\n<p>You can reuse the same installation command across multiple hosts.<\/p>\n\n\n\n<p>The agent will be installed at <strong><code>\/opt\/Elastic\/Agent<\/code><\/strong> and will run as a service.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 \/opt\/Elastic\/Agent\/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>data\nelastic-agent\nelastic-agent-20211212203445\nelastic-agent.reference.yml\nelastic-agent.yml\nelastic-agent.yml.2021-12-12T20-34-44.0411.bak\nfleet.yml\nfleet.yml.lock\nLICENSE.txt\nNOTICE.txt\nREADME.md\n<\/code><\/pre>\n\n\n\n<p>Checking the status of the Elastic agent;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl status elastic-agent<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\u25cf elastic-agent.service - Elastic Agent is a unified agent to observe, monitor and protect your system.\n   Loaded: loaded (\/etc\/systemd\/system\/elastic-agent.service; enabled; vendor preset: disabled)\n   Active: active (running) since Sun 2021-12-12 20:34:39 EAT; 1min 55s ago\n Main PID: 5825 (elastic-agent)\n    Tasks: 10 (limit: 11388)\n   Memory: 43.8M\n   CGroup: \/system.slice\/elastic-agent.service\n           \u2514\u25005825 elastic-agent\n\nDec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.974+0300        INFO        [api]        api\/server.go:64        Metrics endpoint listening on: \/opt\/Elasti&gt;\nDec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.975+0300        INFO        application\/local_mode.go:178        Agent is stopped\nDec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.975+0300        INFO        application\/periodic.go:79        Configuration changes detected\nDec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.980+0300        INFO        stateresolver\/stateresolver.go:48        New State ID is aqYAlQPW\nDec 12 20:34:40 rocky8 elastic-agent[5825]: 2021-12-12T20:34:40.981+0300        INFO        stateresolver\/stateresolver.go:49        Converging state requires execution of&gt;\nDec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.091+0300        INFO        operation\/operator.go:216        waiting for installer of pipeline 'default' to&gt;\nDec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.350+0300        INFO        application\/periodic.go:101        No configuration change\nDec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.350+0300        INFO        process\/app.go:176        Signaling application to stop because of shutdown: me&gt;\nDec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.357+0300        INFO        stateresolver\/stateresolver.go:48        New State ID is aqYAlQPW\nDec 12 20:34:45 rocky8 elastic-agent[5825]: 2021-12-12T20:34:45.695+0300        INFO        stateresolver\/stateresolver.go:49        Converging state requires execution \n<\/code><\/pre>\n\n\n\n<p>Stop the agent;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl stop elastic-agent<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-elasticsearch-elastic-agent-tls-connection\">Configure Elasticsearch &#8211; Elastic Agent TLS connection<\/h4>\n\n\n\n<p>If Elasticsearch is running on HTTP, the command above should just work and the agent should start sending logs immediately to the server.<\/p>\n\n\n\n<p>However, if you setup Elasticsearch with TLS as we did in our guide above while setting up Fleet server, then you need to configure Elastic agent Filebeat and Metricbeat to connect to Elasticsearch via an encrypted and authenticated channel.<\/p>\n\n\n\n<p>Therefore, copy the Elasticsearch CA to the agent host.<\/p>\n\n\n\n<p>In our Fleet server setup, the cert is <strong><code>\/etc\/elasticsearch\/kifarunix-demo-fleet-server\/kifarunix-demo-fleet-server.crt<\/code><\/strong>.<\/p>\n\n\n\n<p>Hence, we copied and placed it on the agent host under, <code><strong>\/etc\/ssl\/certs\/kifarunix-demo-fleet-server.crt<\/strong><\/code>.<\/p>\n\n\n\n<p>Edit both Elastic agent Filebeat and Metricbeat configuration files and;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Set the IP address of Elasticsearch (localhost by default).<\/li>\n\n\n\n<li>Specify protocol (<strong>https<\/strong>) and the path to Elasticsearch CA cert if using HTTPS protocol<\/li>\n\n\n\n<li>Set the authenticating username and credentials (<strong>You can create separate user and roles for this purpose<\/strong>. But in this demo setup, we used default Elastic user credentials. <strong>NOTE that ir is not recommended<\/strong> to use the superuser elastic).<\/li>\n<\/ol>\n\n\n\n<p>Update Filebeat configs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/Elastic\/Agent\/data\/elastic-agent-4bcd95\/install\/filebeat-7.16.0-linux-x86_64\/filebeat.yml<\/code><\/pre>\n\n\n\n<p>Update Elasticsearch output configs;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code># ---------------------------- Elasticsearch Output ----------------------------\noutput.elasticsearch:\n  # Array of hosts to connect to.\n  hosts: [\"192.168.58.22:9200\"]\n\n  # Protocol - either `http` (default) or `https`.\n  protocol: \"https\"\n  ssl.certificate_authorities: [\"\/etc\/ssl\/certs\/kifarunix-demo-fleet-server.crt\"]\n\n  # Authentication credentials - either API key or username\/password.\n  #api_key: \"id:api_key\"\n  username: \"elastic\"\n  password: \"WSZdCjtgn9c8Pphd4St4\"\n<\/code><\/pre>\n\n\n\n<p>Similarly, update the Metricbeat configs just like above;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/opt\/Elastic\/Agent\/data\/elastic-agent-4bcd95\/install\/metricbeat-7.16.0-linux-x86_64\/metricbeat.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># ---------------------------- Elasticsearch Output ----------------------------\noutput.elasticsearch:\n  # Array of hosts to connect to.\n  hosts: [\"192.168.58.22:9200\"]\n\n  # Protocol - either `http` (default) or `https`.\n  protocol: \"https\"\n  ssl.certificate_authorities: [\"\/etc\/ssl\/certs\/kifarunix-demo-fleet-server.crt\"]\n\n  # Authentication credentials - either API key or username\/password.\n  #api_key: \"id:api_key\"\n  username: \"elastic\"\n  password: \"WSZdCjtgn9c8Pphd4St4\"\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"start-elastic-agent\">Start Elastic Agent<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl start elastic-agent<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-elastic-agent-enrollment\">Verify Elastic Agent Enrollment<\/h3>\n\n\n\n<p>The Elastic agents have now been installed and enrolled to the Fleet Server. Check on the Fleet UI;<\/p>\n\n\n\n<p>Agent status should at least be <strong>Healthy<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1808\" height=\"644\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/elastic-agents-status.png\" alt=\"\" class=\"wp-image-11151\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/elastic-agents-status.png?v=1639414007 1808w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/elastic-agents-status-768x274.png?v=1639414007 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/elastic-agents-status-1536x547.png?v=1639414007 1536w\" sizes=\"(max-width: 1808px) 100vw, 1808px\" \/><\/figure>\n\n\n\n<p>Click on the agent to view details.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1641\" height=\"884\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/elastic-agent-details.png\" alt=\"\" class=\"wp-image-11152\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/elastic-agent-details.png?v=1639414038 1641w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/elastic-agent-details-768x414.png?v=1639414038 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/elastic-agent-details-1536x827.png?v=1639414038 1536w\" sizes=\"(max-width: 1641px) 100vw, 1641px\" \/><\/figure>\n\n\n\n<p>Sample dashboards.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1899\" height=\"895\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/sample-elastic-agent-metrics-dashboard.png\" alt=\"\" class=\"wp-image-11153\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/sample-elastic-agent-metrics-dashboard.png?v=1639414083 1899w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/sample-elastic-agent-metrics-dashboard-768x362.png?v=1639414083 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2021\/12\/sample-elastic-agent-metrics-dashboard-1536x724.png?v=1639414083 1536w\" sizes=\"(max-width: 1899px) 100vw, 1899px\" \/><\/figure>\n\n\n\n<p>You can filter for specific host using the respective filters on the search bar.<\/p>\n\n\n\n<p>And that concludes our guide.<\/p>\n\n\n\n<p>Also see how you can enroll and monitor Windows systems using Elastic Osquery Manager;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-windows-systems-using-elastic-osquery-manager\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Windows Systems using Elastic Osquery Manager<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reference\">Reference<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.elastic.co\/guide\/en\/fleet\/current\/elastic-agent-installation.html\" target=\"_blank\" rel=\"noreferrer noopener\">Install Elastic Agent<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/integrate-wazuh-manager-with-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate Wazuh Manager with ELK Stack<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-elk-stack-alerting-with-elastalert\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure ELK Stack Alerting with ElastAlert<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-linux-system-metrics-with-elk-stack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Monitor Linux System Metrics with ELK Stack<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This tutorial will take you through how you can install and enroll Elastic agents to Fleet manager in Linux. According to Elastic Fleet and Elastic<\/p>\n","protected":false},"author":3,"featured_media":11155,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,910,121,34],"tags":[4359,4364,4365,4362,4363,4361,1107],"class_list":["post-11138","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-elastic-stack","category-howtos","category-security","tag-elastic-agents","tag-elastic-agent-enroll","tag-elastic-agent-install","tag-enroll-elastic-agents-to-fleet-server","tag-enroll-elastic-agents-via-elasticsearch-https","tag-install-elastic-agents-on-linux","tag-linux","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11138"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11138"}],"version-history":[{"count":11,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11138\/revisions"}],"predecessor-version":[{"id":21585,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11138\/revisions\/21585"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11155"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}