Elastic Installation Guide
Please reach out to the endpoint security team to receive the installation URL and Enrollment Token referenced as <URL> and <TOKEN_HERE>. The given URL is not for clicking or downloading the agent. The link is parameter to be passed to the installer so that the agent is associated with Texas A&M's Elastic.
Installation
Installation of the Elastic agent comes down to running a handful of commands the host. The collection of commands generally downloads a version of the Elastic Agent, unpacks the downloaded archive, and installs the agent. When the agent is being installed, be sure to specify the relevant enrollment token! The enrollment token determines what policy a host ends up with and helps to separate data. Follow the instructions for when your business unit is ready to begin the install process so that you can get your enrollment token.
If you would like to learn more about the Elastic Agent, you can go back here.
Managing to install the agent without an enrollment token will lead to a broken install state where the agent may be installed but not reporting back. Be sure to use an enrollment token.
Windows Commands
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.3-windows-x86_64.zip -OutFile elastic-agent-8.14.3-windows-x86_64.zip
Expand-Archive -Force .\elastic-agent-8.14.3-windows-x86_64.zip -DestinationPath .
cd elastic-agent-8.14.3-windows-x86_64
.\elastic-agent.exe install --force --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
The -Force flag for the Expand Archive cmdlet will help ensure that the zip archive expands even if it already exists.
The --force flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.
The --non-interactive flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.
Mac Commands
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.3-darwin-x86_64.tar.gz
tar xzvf elastic-agent-8.14.3-darwin-x86_64.tar.gz
cd elastic-agent-8.14.3-darwin-x86_64
sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
The --force flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.
The --non-interactive flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.
Linux Commands
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.14.3-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.14.3-linux-x86_64.tar.gz
cd elastic-agent-8.14.3-linux-x86_64
sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
The --force flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.
The --non-interactive flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.
Usage
This product should be treated like it is a managed piece of software. It is not something that a team should worry about getting access to. The System and the Security Operations team will respond to any issues. Additionally updating will be handled remotely.
Additionally, updating can be pushed out and handled by the Elastic agent. While updating may be handled it may be in the best interest of.
Management Tools
Installation of Elastic is most easily achieved with a centralized management tool that can execute commands/scripts remotely.
Unified Mac hosts will not have to worry about the extra system configuration settings as the JAMF team will be able to make changes to those system settings.
Request
Information technology professionals on campus may contact endpoint-security@tamu.edu to request access to the install files or ask any questions.