Installing Elasticsearch, Kibana, Fleet Server and APM without orchestration. The other ways to deploy are using Elastic Cloud (managed service), or ECE/ECK which provide orchestration for easier install, upgrades, and maintenance.
Elastic Stack version 8.4.
Created on Azure with Windows Server 2022 Datacenter Azure Edition Standard B4ms, 4vCPU, 16GiB RAM
Following along with Installing the Elastic Stack, we need to install the stack in order and we'll focus on the minimum needed here:
- Elasticsearch
- Kibana
- APM
1 - Following the Windows install instructions, download the .zip file and extract it
2 - Run Elasticsearch from the command line
.\bin\elasticsearch.bat
3 - Copy and keep the password and enrollment token
4 - Check it is running curl --cacert http_ca.crt https://elastic:IVMTu3b5RF+-E3F7kOxY@localhost:9200 --ssl-no-revoke
5 - Following the Kibana install instructions, download the .zip file and extract it
6 - Run Kibana from the command line
7 - Open link to Kibana in browser
8 - Paste enrollment token and click button to connect Kibana to Elasticsearch
9 - Log in to Kiban with "elastic" user and password noted in Step 3
Complete prerequisites from APM quick start
10 - navigate to $ES_HOME\config and open elasticsearch.yml configuration file
11 - add the following line
xpack.security.authc.api_key.enabled: true
12 - generate Kibana encryption keys
$KIBANA_HOME\bin\kibana-encryption-keys generate
12 - navigate to $KIBANA_HOME\config and open kibana.yml configuration file
13 - Copy and paste Kibana encryption keys into kibana.yml
xpack.encryptedSavedObjects.encryptionKey: fc2caad44285034fa89b7aadcaac750b
xpack.reporting.encryptionKey: 68873dd130e6eaef07bb28c5a23b720b
xpack.security.encryptionKey: 5fc4dfde27048ea90e4cb1ce27aa1786
14 - Go to Management > Fleet > Settings
15 - Click Edit hosts and add Fleet Server URL (use IP that is accessible by hosts we plan to monitor, so in this case use Azure VM public IP)
16 - Click Agents tab and follow guide to add Fleet Server
.\elastic-agent.exe install `
--fleet-server-es=https://172.27.0.5:9200 `
--fleet-server-service-token=AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTE2NjM4OTk3NzA2MTM6VUJNYXZtMHpSSy1BSk56djNxeFYxZw `
--fleet-server-policy=fleet-server-policy `
--fleet-server-es-ca=C:\elasticsearch-8.4.2\config\certs\http_ca.crt
Keep in mind that Elastic Cloud takes care of all this for you. We're just doing this the hard way.
When you start Elasticsearch it creates the following certificates and keys (see Configuring Stack Security)
- http_ca.crt - used to sign certificates for HTTP layer of ES cluster
- keystore with key and cert for HTTP layer for this node
- keystore that contains key and cert for transport layer of all nodes in cluster
Elastic Agent requires a PEM-formatted certificate to send encrypted data to ES (see Configure SSL/TLS for self-managed Fleet Servers).
Run the following to convert...
openssl pkcs12 -in path.p12 -out cert.crt -clcerts -nokeys
openssl pkcs12 -in path.p12 -out private.key -nocerts -nodes
Note: For development purposes, run with --insecure flag to acknowledge certificate chain cannot be verified (https://www.elastic.co/guide/en/fleet/8.4/fleet-troubleshooting.html). Also hod to add fleet-server-es-ca to point to cert generated by Elasticsearch.
17 - Update kibana.yml to update server.host to a non-loopback address
18 - Restart Kibana from command line
19 - Create inbound rule for Windows Defender Firewall (from Firewall & network protection, select Advanced Settings)
20 - Update inbound rules on Azure VM networking
21 - Add Windows Defender inbound port rule
This collects both infrastructure data using System integration along with IIS Server logs and metrics.
-> Password for the elastic user (reset with bin/elasticsearch-reset-password -u elastic
):
vW3doqO4ZucvLVeE__-q
-> HTTP CA certificate SHA-256 fingerprint: 1e4cc28c7551dab8fba3f1b96ecd7972d41b9d3bba5f16634755e8a9f932412a
-> Configure Kibana to use this cluster:
- Run Kibana and click the configuration link in the terminal when Kibana starts.
- Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes): eyJ2ZXIiOiI4LjQuMiIsImFkciI6WyIxNzIuMjcuMC41OjkyMDAiXSwiZmdyIjoiMWU0Y2MyOGM3NTUxZGFiOGZiYTNmMWI5NmVjZDc5NzJkNDFiOWQzYmJhNWYxNjYzNDc1NWU4YTlmOTMyNDEyYSIsImtleSI6ImlfUF9aNE1CNnNGb1RTd19wMVZEOk13dnB6akxTVHp1NFk3OWkzbzVMVGcifQ==
-> Configure other nodes to join this cluster:
- On this node:
- Create an enrollment token with
bin/elasticsearch-create-enrollment-token -s node
. - Uncomment the transport.host setting at the end of config/elasticsearch.yml.
- Restart Elasticsearch.
- Create an enrollment token with
- On other nodes:
- Start Elasticsearch with
bin/elasticsearch --enrollment-token <token>
, using the enrollment token that you generated.
- Start Elasticsearch with