Elastic Installation Guide
Ideal agent version: 9.2.6
Agents should be a part of the Texas A&M University System stack. You can reach out to get the install information for the System's stack here:
https://tamus-cyber.atlassian.net/servicedesk/customer/portal/76
Installation
The TAMUS team provides a script for installing the Elastic agent. Please refer to the instructions and details provided by the System after making a request at the link above. The information below is preserved for historical context.
Legacy Installation Instructions (For historical reference)
The information below details the previous manual installation process. These instructions are preserved for informational purposes but should not be used for new installations.
If you would like to learn more about the Elastic Agent, you can go back here.
If you would like to learn more about the install command (or others), you can read more here.
Managing to install the agent without an enrollment token will lead to a broken install state where the agent may be installed but not reporting back. Be sure to use an enrollment token.
Windows Commands
$ProgressPreference = '''SilentlyContinue'''
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.2.6-windows-x86_64.zip -OutFile elastic-agent-9.2.6-windows-x86_64.zip
Expand-Archive -Force .\elastic-agent-9.2.6-windows-x86_64.zip -DestinationPath .
cd elastic-agent-9.2.6-windows-x86_64
.\elastic-agent.exe install --force --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
Mac Commands
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.2.6-darwin-x86_64.tar.gz
tar xzvf elastic-agent-9.2.6-darwin-x86_64.tar.gz
cd elastic-agent-9.2.6-darwin-x86_64
sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
Linux Commands
x86_64 Architecture
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.2.6-linux-x86_64.tar.gz
tar xzvf elastic-agent-9.2.6-linux-x86_64.tar.gz
cd elastic-agent-9.2.6-linux-x86_64
sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
aarch64 Architecture
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.2.6-linux-arm64.tar.gz
tar xzvf elastic-agent-9.2.6-linux-arm64.tar.gz
cd elastic-agent-9.2.6-linux-arm64
sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
More Info
For questions regarding historical installations, you may contact endpoint-security@tamu.edu. For all new requests, please use the ticketing portal linked in the "Notice" section at the top of this page.
Considerations for Golden Images
Elastic can be set to delay its enroll until after a 'reboot'. You should do this as the last operation performed on a host before turning it off and taking the golden image. If this command is not used, then multiple hosts may be talking to our stack while appearing to be a single host.
Append the flag --delay-enroll to your install command.
Considerations for 'Legacy' Operating Systems
Elastic notes that they will remove support for an Operating System six months after it hits End of Life. Elastic Agent support and Elastic Defend support statuses can be found on their compatibility matrix here.
Alternative Installation Methods
Windows
Some environments or central management mechanisms may have more luck with installing Elastic via an MSI file. That process looks like this:
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-9.2.6-windows-x86_64.msi -OutFile elastic-agent-9.2.6-windows-x86_64.msi
cmd /c 'msiexec.exe /i elastic-agent-9.2.6-windows-x86_64.msi INSTALLARGS="--url=<URL> --enrollment-token=<TOKEN_HERE> --force" /q'
The OS will not reflect the actual agent version installed if you use the MSI. You can use Axonius to determine what version is installed. Alternatively, you may be able to use elastic-agent.exe version
Usage
This product should be treated like it is a managed piece of software. It is not something that a team should worry about getting access to. The System and the Security Operations team will respond to any issues. Additionally updating will be handled remotely.
Troubleshooting
- You must install the agent with administrative rights.
- A 401 Error returned by the installer likely means that you have a wrong enrollment token.
Windows Permissions Issues
After running C:\"Program Files"\Elastic\Agent\elastic-agent.exe status and seeing something that indicates a failure with exit status 284 like:
status: (FAILED) failed install endpoint service: 2025-06-27 18:05:45: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Agent\data\elastic-agent-9.2.6-52ce20\components\previous\elastic-endpoint.exe]: exit status 284
This is indicative of a permissions issue that the Elastic Agent cannot resolve automatically.
Fix
This issue should be fixed by running the following command to fix the permissions issue of the directory structure:
icacls "C:\Program Files\Elastic\Agent" /setowner "NT AUTHORITY\SYSTEM" /t /l
Be sure to run this as an administrator!
Management Tools
Installation of Elastic is most easily achieved with a centralized management tool that can execute commands/scripts remotely.
Unified Mac hosts will not have to worry about the extra system configuration settings as the Jamf team will be able to make changes to those system settings.
Request
Information technology professionals on campus may contact endpoint-security@tamu.edu to request access to the install files or ask any questions.