Welcome back to Day 5 of building a Security Operations Center home lab. Over the past four days, we have laid the groundwork for the home lab by setting up and configuring our virtual machines, built a logical diagram for our home lab and installed Elasticsearch & Kibana. Today we’ll be focusing on Elastic Agents and Fleet Server.
Let’s talk about Elastic Agent and Fleet servers before we take a dive into configuring one.
Introduction
As a soc analyst, imagine having to manually install and configure agents into 100+ devices. Definitely seems like a lot of work to do not forgetting the little errors (or simply forgetting to ensure they forward PowerShell logs) that could be made while configuring these devices. This can be done in several ways; by manually configuring all the devices, by using a group policy that updates all devices in that group as soon as an update is available or using a component that connects agents to a Fleet server which will you to manage all the agents from a centralized location.
What is an Elastic Agent
This is an agent that provides a unified means to add monitoring for logs, metrics and other data types available. The agents work based on policies that you can update and add integrations, protections etc. that will be used to tell endpoints devices on what type of logs should be forwarded.
Elastic agent can be deployed in two different modes: managed by Fleets or as a standalone agent. In this 30-day project, the agents will be deployed in a Fleet-managed mode.
Compared to Beats, Elastic agents do not require installing different agents based on the type of data you want to collect, instead, it is a single unified agent for logs, synthetics, APM traces, metrics and even system security. This means that it is easier to add integrations, update configurations through Fleet, enable integrations customize the agent’s behavior and ingest data.
Fleet Servers
This is a component that connects the elastic agents to a fleet which allows the SOC analyst to manage multiple agents within a centralized location. This make it easy to update policies, add integrations, allow the agents forward their data into a Logstash instance/Elasticsearch, update agents when new versions are released and enroll/un-enroll agents.
The Fleet server takes the pain and reduces the time it would take to either manually configure agents or groups policies.
Setting up and configuration
After successfully setting up Elasticsearch and Kibana, we login to connect the Fleet server and add Elastic Agents to the home lab.
STEPS
To login, the default username is ‘elastic’ while the password will be found in the information page displayed after Elasticsearch was installed.
- On the homepage, click on the hamburger icon on the top left, scroll down to Fleet and click on it. Click on `Add Fleet Server` then an interactive side bar opens up
- You add the name you wish to call your server, URL is the IP address of the Fleet Server VM. Note that it will automatically use port 8220 by default but since we used `https` when specifying url, it chose port 443. Then click on ‘Generate Fleet Server Policy’.
- To change the port back to 8220, you click on `Fleet Settings`. Click on the pencil icon and change the port to 8220. Click on `Save and apply settings` and save.
- After saving, head on to `Agents` > `Add Fleet Server` . Ensure that the correct Fleet server IP and port number is clearly shown., then CONTINUE.
- Copy the `Linux Tar` and paste in the Fleet server’s terminal. Follow the prompts until the process is completed. Once he process completes there will been a change on the web page showing `Fleet Server Connected`, as seen below;
- Click on `Continue enrolling Elastic Agent` from there on we can continue to add agents for our Windows server
This was a straightforward process while I was performing it on my end. However, it may be different for other so I’d advice that you make sure your VM instances are well provided for. That is your servers should have enough processors, storage space and RAM to ensure they carry out their functions smoothly.
Till next time… Stay CyberCurious
Stay CyberAwesome
