I have tried everything under the sun and I have no more ideas. I have watched every YT video you can.
I added XXXX to represent the hyper text transfer protocol because it thought I was posting links.
The topology:
3 VMs all same subnet on a Proxmox server.
1 - Elastic Search
2 - Kibana
3 - (Attempt at Fleet server)
I used certificates and got Kibana and Elastsearch to communicate flawlessly after about 8 hours of work.
I got to the web address and logged in with the superuser for Kiaban, I went down to the fleet tab and then got prompted to set up a fleet server and this is where it went downhill.
-Create policy (fleet server Policy)
-Choose the deployment option (I have tried both, quick start and production)
-Add fleet server host (xxxxs://fleet server VM IP:8220)
-Generates a service token
-Then gives the curl command (for the production version)
curl -L -O xxxs://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.13.1-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.13.1-linux-x86_64.tar.gz
cd elastic-agent-8.13.1-linux-x86_64
sudo ./elastic-agent install --url=xxxs://192.168.50.231:8220 \
--fleet-server-es=xxxx://localhost:9200 \
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MTI1MzE0OTkwMjc6MG9sbm9TOVFUcTJ5cldncm1LV0hrZw \
--fleet-server-policy=fleet-server-policy \
--certificate-authorities=<PATH_TO_CA> \
--fleet-server-es-ca=<PATH_TO_ES_CERT> \
--fleet-server-cert=<PATH_TO_FLEET_SERVER_CERT> \
--fleet-server-cert-key=<PATH_TO_FLEET_SERVER_CERT_KEY> \
--fleet-server-port=8220
according to the documentation, the only thing that needs to be changed is this:
- Replace the value of the
--certificate-authorities
parameter with your CA certificate.
I am assuming they are referring to the certificate
cd /etc/elasticsearch/certs/xxxx_ca.crt
I am not sure and cannot find any other documentation otherwise for the remainder ones.
Any insight? All I need is to get this fleet server connected to Elasticsearch so I can set up agents on other machines and show it in the Kibana dashboard.
Some errors:
{"log.level":"info","@timestamp":"2024-04-07T21:53:05.574Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":817},"message":"Waiting for Elastic Agent to start: rpc error: code = Canceled desc = context canceled","ecs.version":"1.6.0"}
[=== ] Service Started [20s] Elastic Agent successfully installed, starting enrollment.
[ ==] Waiting For Enroll... [22s] {"log.level":"info","@timestamp":"2024-04-07T21:51:00.286Z","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":436},"message":"Generating self-signed certificate for Fleet Server","ecs.version":"1.6.0"}
root@elastickibana:~# curl -XGET http://192.168.50.227:9200
curl: (52) Empty reply from server
Not sure if that matters? Like I said, when I restart the service, Kibana shows it goes down so it must be working.
edit:
I set --certificate-authorities
but the next one is --fleet-server-es-ca and then the terminal outputs:
-bash: PATH_TO_ES_CERT: No such file or directory
So even though their documentation only states the first one, I believe it needs all of them but I do not have a clue where to get the following info:
--fleet-server-es-ca=<PATH_TO_ES_CERT>
--fleet-server-cert=<PATH_TO_FLEET_SERVER_CERT>
--fleet-server-cert-key=<PATH_TO_FLEET_SERVER_CERT_KEY>
sudo ./elastic-agent install --url=[https://192.168.50.231:8220](https://192.168.50.231:8220/) --fleet-server-es=[http://192.168.50.227:9200](http://192.168.50.227:9200/) --fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE3MTI1MzE0OTkwMjc6MG9sbm9TOVFUcTJ5cldncm1LV0hrZw --fleet-server-policy=fleet-server-policy --certificate-authorities=/etc/certificate/http_ca.crt --fleet-server-es-ca=<PATH_TO_ES_CERT> --fleet-server-cert=<PATH_TO_FLEET_SERVER_CERT> --fleet-server-cert-key=<PATH_TO_FLEET_SERVER_CERT_KEY> --fleet-server-port=8220
The certs I know of are as such:
root@elastickibana:/etc/elasticsearch/certs# ls
http_ca.crt http.p12 transport.p12