Note: Running the Elastic Agent in standalone mode is an advanced use case. The documentation is incomplete and immature. If possible, we recommend using fleet managed agents rather than standalone patterns.
To run Elastic Agent in standalone mode, install the Agent on each host you want to monitor and manually configure the Agent locally on the system where it is installed. You are responsible for managing and upgrading agents. This method is recommended for advanced users only.
We recommend using Fleet-Managed Elastic Agents whenever possible, as it makes managing and upgrading your Agents quite easy. You can read my previous article “Observability: Using Elastic Agent to ingest logs and metrics – Elastic Stack 8.0”.
Important: Independent agents cannot automatically upgrade to the new integration package version. When upgrading integration in Kibana, you need to manually update individual policies.
In the following demonstration, I’ll use Elastic Stack 8.0.
The installation
We first need to install and run Elastic Agent on our host. We need different installation methods for different operating systems. We need to visit the web site Download Elastic Agent Free | Elastic to Download Elastic Agent.
- macOS
1. The curl - L - O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.0.1-darwin-x86_64.tar.gz 2. Tar XZVF elastic - agent - 8.0.1 - Darwin - x86_64. Tar. GzCopy the code
- Linux
1. The curl - L - O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.0.1-linux-x86_64.tar.gz 2. Tar XZVF elastic - agent - 8.0.1 - Linux - x86_64. Tar. GzCopy the code
- Windows
1. # PowerShell 5.0+ 2. wget https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.0.1-windows-x86_64.zip - OutFile Elastic - agent - 8.0.1 - Windows - x86_64. Zip 3. Expand - Archive. \ elastic - agent - 8.0.1 - Windows - x86_64. ZipCopy the code
- DEB
1. The curl - L - O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.0.1-amd64.deb 2. Sudo DPKG -i Elastic - agent - 8.0.1 - amd64. DebCopy the code
To simplify upgrading to future releases of Elastic Agent, we recommend that you use the Tarball distribution instead of the DEB distribution.
- RPM
1. The curl - L - O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.0.1-x86_64.rpm 2. Sudo RPM - vi Elastic - agent - 8.0.1 - x86_64. RPMCopy the code
To simplify upgrading to future releases of Elastic Agent, we recommend that you use tarball distribution instead of RPM distribution.
In the following demonstration, I will use maoOS for demonstration. Before showing off, you’ll need to install the article “Elastic Stack 8.0 Install – Securing your Elastic Stack is now easier than ever” to install your Elasticsearch and Kibana. Elasticsearch, Kibana and Elastic Agent will all be installed on macOS machines.
configuration
To enable the standalone Elastic Agent to work properly, we must configure the elastice-agent. yml file. This file can be found in the Elastic Agent installation directory:
1) $PWD (2)/Users/liuxg/elastic/fleet/elastic - agent - 8.0.1 - Darwin - x86_64 3. $ls 4. LICENSE. TXT data elastic - agent. Yml 5. NOTICE.txt elastic-agent fleet.yml 6. README.md elastic-agent.reference.yml fleet.yml.lockCopy the code
To get started quickly and avoid errors, use Kibana to create and download a separate configuration file instead of trying to build it manually.
Create the standalone Elastic Agent policy
To get started quickly, use Kibana to add integration to the Agent policy, and then download the policy to use as a starting point for the standalone Elastic Agent policy. This approach saves time, is less error-prone, and populates policies with a lot of manual addition of tedious details. In addition, adding integrations to Kibana loads the required resources, such as index templates and ingestion pipes, before starting Elastic Agent.
Let’s start by creating a policy called Standalone. The name can be anything you like.
This creates a Standalone policy called Standalone. Click on the link above:
We then add the desired integration for the policy:
We first find the location of access.log and error.log on macOS:
'1. $nginx -help 2. nginx version: nginx/1.21.6 3. Usage: nginx [-?hvVtTq] [-s signal] [-p prefix] 4. [-e filename] [-c filename] [-g directives] 6. Options: 7. -? ,-h : this help 8. -v : show version and exit 9. -V : show version and configure options then exit 10. -t : test configuration and exit 11. -T : test configuration, dump it and exit 12. -q : suppress non-error messages during configuration testing 13. -s signal : send signal to a master process: Stop, quit, reopen, reload 14. -p prefix: set the prefix path (default: / usr/local/Cellar/nginx / 1.21.6 /) 15. - e filename: set error log file (default: /usr/local/var/log/nginx/error.log) 16. -c filename : set configuration file (default: /usr/local/etc/nginx/nginx.conf) 17. -g directives : set global directives out of configuration file `! [](https://csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreWhite.png)Copy the code
The nginx installation directory is shown above. We go to the directory where the file resides:
1. $PWD 2. / usr/local/Cellar/nginx / 1.21.6 3. $ls 4. CHANGES bin logs 5. INSTALL_RECEIPT. Json homebrew. MXCL. Nginx. Plist share 6. LICENSE homebrew.nginx.service 7. README html 8. $ cd logs 9. $ ls 10. access.log error.log host.access.log nginx.pidCopy the code
From above, we can see the two files host.access.log and error.log. Next we will use this information to configure integration for Nginx. Click Add Nginx in the image above:
We need to modify the default configuration above. Fill in the location information for host.access.log and error.log and save it.
The Go to Download page above is the page we showed downloading Elastic Agent in the Install section above. Let’s scroll down:
Click Download Policy above:
The downloaded policy is shown above. It has the same name as a configuration file in the Elastic Agent installation directory previously known as pexe-agent.yml. Copy the elastice-agent. yml file to the elastic Agent installation directory and overwrite the elastice-agent. yml file in the elastic Agent installation directory:
1) $PWD (2)/Users/liuxg/elastic/fleet/elastic - agent - 8.0.1 - Darwin - x86_64 3. $ls 4. LICENSE. TXT data elastic - agent. Yml 5. NOTICE.txt elastic-agent fleet.yml 6. README.md elastic-agent.reference.yml fleet.yml.lockCopy the code
Please note that the above elastics-agent. yml file is the one we downloaded, not the one we left behind when we installed Elastic Agent.
Grant independent Elastic Agents access to Elasticsearch
You can use API keys or user credentials to grant individual Elastic Agent access to Elasticsearch resources. Sending log, metric, trace, and composite data to Elasticsearch requires the following minimum permissions:
- Monitor Cluster Permissions
- The logs ––And the metrics ––, traces ––And synthetics ––Auto_configure and create_doc index permissions for.
It is recommended that you use API keys to avoid exposing usernames and passwords in configuration files.
You can set API keys to expire at a specific time, and you can explicitly disable them. Any user with manage_API_key or manage_OWn_API_key cluster permissions can create API keys.
For security reasons, we recommend that each Elastic Agent use a unique API key. You can create as many API keys per user as you want.
To create an API key for the Elastic Agent:
In the Restricted Privileges edit box above, enter the following:
` 1. { 2. "standalone_agent": { 3. "cluster": [ 4. "monitor" 5. ], 6. "indices": [ 7. { 8. "names": [ 9. "logs-*-*", "metrics-*-*", "traces-*-*", "synthetics-*-*" 10. ], 11. "privileges": [ 12. "auto_configure", "create_doc" 13. ] 14. } 15. ] 16. } 17. } `! [](https://csdnimg.cn/release/blogv2/dist/pc/img/newCodeMoreWhite.png)Copy the code
We need to adjust the above names list for our own application scenario. And if you don’t use APM or synwide-footing, you can delete “footprints –” and” synwide-footing –” from the list.
To set an expiration date for the API key, select an expiration time and enter the life cycle of the API key in days. In our case, we don’t set this parameter.
Click the Create API key button above:
You will see a message indicating that the key has been created, along with the encoded key. By default, API keys are Base64 encoded, but this does not apply to Elastic Agents. Click on the selection box above and change Base64 to Beats:
Let’s copy the API key above because we won’t see it on this page anymore.
Let’s modify the elastice-agent. yml file in the Elastic Agent installation directory:
This completes the policy configuration.
Create standalone Role
Although it is recommended that you use the API key instead of the username and password to access Elasticsearch, you can create a role with the required permissions, assign it to the user, and specify the user’s credentials in the elastics-agent.yml file.
- In Kibana, go to Stack Management > Roles.
- Click Create Role and enter a name for the role.
- In Cluster Privileges, enter monitor.
- In Index Privileges, enter:
- 在 indicesIn, enter
logs-*-*
.metrics-*-*
, nginx, traces - * - * - * - *
andsynthetics-*-*
- Enter auto_configure and CREATE_doc in the Privileges field
- Create roles and assign them to users.
- To use these credentials, set the user name and password in the elastice-agent.yml file:
1. [...]. 2. outputs: 3. default: 4. type: elasticsearch 5. hosts: 6. - 'https://da4e3a6298c14a6683e6064ebfve9ace.us-central1.gcp.cloud.es.io:443' 7. username: ES_USERNAME 8. password: ES_PASSWORD 9. [...]Copy the code
Note: For security reasons, specify the user with the lowest permissions described here. It is recommended that you do not use elastic superuser
Creating assets
These assets include Dashboard and Ingest Pipelines. We can create these assets through Kibana. Assets are automatically set if you use Kibana to generate a standalone configuration. Otherwise, you need to install them. For more information, see Viewing Elastic Agent Integration Assets and Installing Integrated Assets.
Install and start Elastic Agent as a service
In the Elastic Agent installation directory, run the following command to install Elastic Agent and start it as a service.
Note: On macOS, Linux (tar), and Windows, run the install command to install Elastic Agent as a managed service and start it. DEB and RPM packages contain a service unit, Systemd, for Linux systems, so you only need to enable and then start that service.
- macOS
sudo ./elastic-agent install
Copy the code
- Linux
sudo ./elastic-agent install
Copy the code
- Windows
.\elastic-agent.exe install
Copy the code
Open the PowerShell prompt as administrator (right-click the PowerShell icon and select Run as Administrator).
- DEB
1. sudo systemctl enable elastic-agent
2. sudo systemctl start elastic-agent
Copy the code
- RPM
1. sudo systemctl enable elastic-agent
2. sudo systemctl start elastic-agent
Copy the code
For my case, I’m running on macOS:
1. $ sudo ./elastic-agent install -i
2. Elastic Agent will be installed at /Library/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
3. Do you want to enroll this Agent into Fleet? [Y/n]:n
Copy the code
We used the –insecure or -i option above because our Elasticsearch uses self-signed certificates.
You can view the status of the Elastic Agent service:
1. $ sudo elastic-agent status
2. Password:
3. Status: HEALTHY
4. Message: (no message)
5. Applications:
6. * filebeat (HEALTHY)
7. Running
8. * metricbeat (HEALTHY)
9. Running
10. * filebeat_monitoring (HEALTHY)
11. Running
12. * metricbeat_monitoring (HEALTHY)
13. Running
Copy the code
From the output above, we can see that the elastic-Agent is currently running properly.
Let’s go back to the Fleet interface’s data Stream:
We can see several datasets about nginx.
Of course, we can also choose the Metrics Nginx above. I don’t want to talk about it here.