Elastic Installation Guide
Please reach out to the endpoint security team to receive the installation URL and Enrollment Token referenced as <URL>
and <TOKEN_HERE>
. The given URL is not for clicking or downloading the agent. The link is parameter to be passed to the installer so that the agent is associated with Texas A&M's Elastic.
If you are a part of a "Center" - please detail that in your request!
Installation
Installation of the Elastic agent comes down to running a handful of commands the host. The collection of commands generally downloads a version of the Elastic Agent, unpacks the downloaded archive, and installs the agent. When the agent is being installed, be sure to specify the relevant enrollment token! The enrollment token determines what policy a host ends up with and helps to separate data. Follow the instructions for when your business unit is ready to begin the install process so that you can get your enrollment token.
If you would like to learn more about the Elastic Agent, you can go back here.
Managing to install the agent without an enrollment token will lead to a broken install state where the agent may be installed but not reporting back. Be sure to use an enrollment token.
Windows Commands
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.2-windows-x86_64.zip -OutFile elastic-agent-8.15.2-windows-x86_64.zip
Expand-Archive -Force .\elastic-agent-8.15.2-windows-x86_64.zip -DestinationPath .
cd elastic-agent-8.15.2-windows-x86_64
.\elastic-agent.exe install --force --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
The -Force
flag for the Expand Archive cmdlet will help ensure that the zip archive expands even if it already exists.
The --force
flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.
The --non-interactive
flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.
Mac Commands
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.2-darwin-x86_64.tar.gz
tar xzvf elastic-agent-8.15.2-darwin-x86_64.tar.gz
cd elastic-agent-8.15.2-darwin-x86_64
sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
The --force
flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.
The --non-interactive
flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.
Linux Commands
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.2-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.15.2-linux-x86_64.tar.gz
cd elastic-agent-8.15.2-linux-x86_64
sudo ./elastic-agent install --url=<URL> --enrollment-token=<TOKEN_HERE> --non-interactive
The --force
flag after install for the elastic agent installer will ensure that the agent installs even if it is already installed.
The --non-interactive
flag at the end will essentially skip a confirmation prompt so that the installer will execute without interaction. This is ok to include even if the force flag makes it redundant.
Alternative Installation Methods
Windows
Some environments or central management mechanisms may have more luck with installing Elastic via an MSI file. That process looks like this:
$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.15.2-windows-x86_64.msi -OutFile elastic-agent-8.15.2-windows-x86_64.msi
cmd /c 'msiexec.exe /i elastic-agent-8.15.2-windows-x86_64.msi INSTALLARGS="--url=<URL> --enrollment-token=<TOKEN_HERE> --force" /q'
Usage
This product should be treated like it is a managed piece of software. It is not something that a team should worry about getting access to. The System and the Security Operations team will respond to any issues. Additionally updating will be handled remotely.
As the agent upgrades, Windows may show a notification that the host is no longer protected. This should be a momentary event as the agent installs a new version of itself.
Additionally, updating can be pushed out and handled by the Elastic agent.
Troubleshooting
- You must install the agent with administrative rights.
- A 401 Error returned by the installer likely means that you have a wrong enrollment token.
Management Tools
Installation of Elastic is most easily achieved with a centralized management tool that can execute commands/scripts remotely.
Unified Mac hosts will not have to worry about the extra system configuration settings as the JAMF team will be able to make changes to those system settings.
Request
Information technology professionals on campus may contact endpoint-security@tamu.edu to request access to the install files or ask any questions.