Skip to main content

Elastic Installation Guide

Notice

Please reach out to the endpoint security team to receive the installation URL and Enrollment Token referenced as <URL> and <TOKEN_HERE>. The given URL is not for clicking or downloading the agent. The link is parameter to be passed to the installer so that the agent is associated with Texas A&M's Elastic.

If you are a part of a "Center" - please detail that in your request!

Installation

Installation of the Elastic agent comes down to running a handful of commands the host. The collection of commands generally downloads a version of the Elastic Agent, unpacks the downloaded archive, and installs the agent. When the agent is being installed, be sure to specify the relevant enrollment token! The enrollment token determines what policy a host ends up with and helps to separate data. Follow the instructions for when your business unit is ready to begin the install process so that you can get your enrollment token.

If you would like to learn more about the Elastic Agent, you can go back here.

warning

Managing to install the agent without an enrollment token will lead to a broken install state where the agent may be installed but not reporting back. Be sure to use an enrollment token.

Windows Commands

$ProgressPreference = 'SilentlyContinue'

Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.2-windows-x86_64.zip -OutFile elastic-agent-8.15.2-windows-x86_64.zip

Expand-Archive -Force .\elastic-agent-8.15.2-windows-x86_64.zip -DestinationPath .

cd elastic-agent-8.15.2-windows-x86_64

.\elastic-agent.exe install --force --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
note

The -Force flag for the Expand Archive cmdlet will help ensure that the zip archive expands even if it already exists.

The --force flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.

The --non-interactive flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.

Mac Commands

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.2-darwin-x86_64.tar.gz

tar xzvf elastic-agent-8.15.2-darwin-x86_64.tar.gz

cd elastic-agent-8.15.2-darwin-x86_64

sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
note

The --force flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.

The --non-interactive flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.

Linux Commands

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.2-linux-x86_64.tar.gz

tar xzvf elastic-agent-8.15.2-linux-x86_64.tar.gz

cd elastic-agent-8.15.2-linux-x86_64

sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
note

The --force flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.

The --non-interactive flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.

Alternative Installation Methods

Windows

Some environments or central management mechanisms may have more luck with installing Elastic via an MSI file. That process looks like this:

$ProgressPreference = 'SilentlyContinue'

Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.2-windows-x86_64.msi -OutFile elastic-agent-8.15.2-windows-x86_64.msi

cmd /c 'msiexec.exe /i elastic-agent-8.15.2-windows-x86_64.msi INSTALLARGS="--url=<URL> --enrollment-token=<TOKEN_HERE> --force" /q'

Usage

This product should be treated like it is a managed piece of software. It is not something that a team should worry about getting access to. The System and the Security Operations team will respond to any issues. Additionally updating will be handled remotely.

note

As the agent upgrades, Windows may show a notification that the host is no longer protected. This should be a momentary event as the agent installs a new version of itself.

Additionally, updating can be pushed out and handled by the Elastic agent.

Troubleshooting

  • You must install the agent with administrative rights.
  • A 401 Error returned by the installer likely means that you have a wrong enrollment token.

Management Tools

Installation of Elastic is most easily achieved with a centralized management tool that can execute commands/scripts remotely.

Unified Mac hosts will not have to worry about the extra system configuration settings as the JAMF team will be able to make changes to those system settings.

Request

Information technology professionals on campus may contact endpoint-security@tamu.edu to request access to the install files or ask any questions.