Part 1: Set up Fleet Server - Elastic Agent

# Set up ## Introduce **Diagram** ![image](https://hackmd.io/_uploads/BkulQKQUee.png) * When a new agent policy is created, the Fleet UI saves the policy to a Fleet index in Elasticsearch. * To enroll in the policy, Elastic Agents send a request to Fleet Server, using the enrollment key generated for authentication. * Fleet Server monitors Fleet indices, picks up the new agent policy from Elasticsearch, then ships the policy to all Elastic Agents enrolled in that policy. Fleet Server may also write updated policies to the Fleet index to manage coordination between agents. * Elastic Agent uses configuration information in the policy to collect and send data to Elasticsearch. * Elastic Agent checks in with Fleet Server for updates, maintaining an open connection. * When a policy is updated, Fleet Server retrieves the updated policy from Elasticsearch and sends it to the connected Elastic Agents. * To communicate with Fleet about the status of Elastic Agents and the policy rollout, Fleet Server writes updates to Fleet indices. ## Install Fleet Server Manager -> Fleet -> Add Fleet Server 2 options: - **Quick Start**: If you want Fleet to generate a Fleet Server policy and enrollment token for you - **Advanced**: If you want to either Here I deloy with advaced mode: 1. Select a policy for Fleet Server (Create new agent policy if you don't have it) 2. Choose a deployment mode for security: - If you want to quick start **--insecure** you must add **ssl.certificate_authentication: none** to Advanced YAML in output elasticsearch (Not recommend) 3. Add your Fleet Server host: **https://<ip>:8220** Fleet Server Hosts 4. Generate a service token 5. Install Fleet Server to a centralized host ``` curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.0.3-linux-x86_64.tar.gz tar xzvf elastic-agent-9.0.3-linux-x86_64.tar.gz cd elastic-agent-9.0.3-linux-x86_64 sudo ./elastic-agent install --url=https://192.168.56.129:8220 \ --fleet-server-es=https://192.168.56.129:9200 \ --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3NTIxNjE4NzM5MzQ6MTIzSVFnRWZSMzJkYjVOX18zdVhyUQ \ --fleet-server-policy=fleet-server-policy \ --fleet-server-es-ca-trusted-fingerprint=c82943fa0c1fe7b8348455695af45fe4403098d7fa50722053025d1e2ff7d019 \ --certificate-authorities=/etc/elasticsearch/certs/ca/ca.crt \ --fleet-server-cert=/etc/elasticsearch/certs/fleet-server/fleet-server.crt \ --fleet-server-cert-key=/etc/elasticsearch/certs/fleet-server/fleet-server.key \ --fleet-server-port=8220 \ --install-servers ``` 6. Waiting for Confirm connection ****Note: Configure SSL/TLS for self-managed Fleet Servers references [[2]](https://www.elastic.co/docs/reference/fleet/secure-connections)** ## Install Elastic Agent 1. What type of host do you want to monitor? Select agent policy or create new if don't have 2. Enroll in Fleet? - Enroll in Fleet (recommend) - Run standalone: If set up that -> (Install logstash and base on plugin logstash write input output to monitor to elasticsearch, not easy to manager and ...) 3. Install Elastic Agent on your host To install Elastic Agent without root privileges, add the --unprivileged flag to the elastic-agent install command below ``` $ProgressPreference = 'SilentlyContinue' Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.0.3-windows-x86_64.zip -OutFile elastic-agent-9.0.3-windows-x86_64.zip Expand-Archive .elastic-agent-9.0.3-windows-x86_64.zip -DestinationPath . cd elastic-agent-9.0.3-windows-x86_64 .\elastic-agent.exe install --url=https://192.168.56.129:8220 --enrollment-token=dnotczhwY0JoRlhnTWJKcVRDWVg6NVNNcjljNFZqLWdPY1RHT2NHOUlGZw== --certificate-authorities="C:\path\to\ca.crt" ``` 4. Confirm agent enrollment 5. Confirm incoming data **Result:** ![image](https://hackmd.io/_uploads/SJ1tpOXUgl.png) ## Set up integration **Windows integration** Fleet -> Agent policies -> Choose policy (Agent policy 1) -> Add integration -> Search windows ![image](https://hackmd.io/_uploads/BJDExt7Lge.png) Add windows -> choice channels (Here I install default Forwarded / Powershell / Powershell Operational / Sysmon) ![image](https://hackmd.io/_uploads/H1LagKQLxl.png) Add to policy you want ## Install sysmon in windows Downloads: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon Install: Sysmon64.exe –accepteula -i # Troubleshooting **1. Expand Logical Space** ``` pvresize /dev/sda3 lvextend -l 100%FREE /dev/pve/root resize2fs /ev/pve/root ``` **2. Error dialing x509: certificate signed by unknown authority** Add **--certificate-authorities="C:\path\to\ca.crt"** or **--insecure** when install elastic agent # References: - [1] https://www.elastic.co/docs/reference/fleet/fleet-server - [2] https://www.elastic.co/docs/reference/fleet/secure-connections - [3] https://discuss.elastic.co/ - [4] https://github.com/SwiftOnSecurity/sysmon-config