Introduction
In today’s task, I focused on setting up Elastic Agent on my Windows Server 2022 and enrolling it into the Fleet Server, which I configured earlier in the challenge. This allows me to manage agents across multiple systems and collect data in a centralized environment. I encountered several issues during the setup but managed to resolve them by adjusting firewall rules and reconfiguring ports. Below is a step-by-step guide on how I completed this task.
Deploy a Fleet Server on Ubuntu:
- First, I created a new server in Vultr to act as the Fleet Server.
- Deployed an Ubuntu 22.04 server (1 CPU, 4 GB RAM) and ensured the Virtual Private Cloud 2.0 was selected.
- Logged into the Server using the command:
ssh root@<server-ip>
- Updated and upgraded the system’s package repositories.
sudo apt-get update
sudo apt-get upgrade -y
After configuration, I accessed the Kibana web GUI via the public IP on port 5601 and proceeded to add a Fleet server under the “Fleet” section in Kibana.
Configuring the Fleet Server
- I generated a Fleet Server policy using the public IP of the newly created Ubuntu VM and ensured HTTPS was enabled for secure communication.
- Next, I connected to the Fleet server by copying the provided command and executing it on the Fleet Server VM to enroll the agent.
- Troubleshooting firewall issues was necessary, as the default firewall was restrictive.
- Commands for modifying firewall rules:
sudo ufw allow 9200
sudo ufw allow 8220
sudo ufw allow 443
Deploying Elastic Agent on Windows Server 2022
- Installed the Elastic Agent on my Windows Server 2022 VM, which was configured on Day 5.
- Ensured Windows PowerShell was running with administrator privileges.
- Copied and executed the command to install the Elastic Agent.
- Resolved firewall port conflicts by modifying the firewall settings on both the Fleet and Elastic servers, allowing communication on necessary ports (8220 and 443).
Troubleshooting Connection Issues
- I encountered multiple errors, such as “Fleet Server failed” and “connection refused,” which were resolved by modifying the firewall rules and verifying port assignments in Kibana.
- One notable error involved a certificate issue (
x509 certificate signed by unknown authority), which was resolved by bypassing the self-signed certificate using the--insecureflag.
Completing Enrollment
- After addressing all errors, the Elastic Agent successfully enrolled and began collecting system logs and metrics from the Windows Server, which could now be centrally managed through the Fleet Server.
Conclusion
In Day 7 of the MyDFIR 30-Day SOC Challenge, I successfully deployed a Fleet Server on Ubuntu and enrolled my Windows Server with the Elastic Agent. Despite facing several challenges with firewall rules and port conflicts, I learned how to troubleshoot connection issues and ensure proper communication between the Fleet Server and Elasticsearch. This process strengthened my understanding of centralized monitoring and endpoint management. Overcoming these obstacles helped solidify my skills in configuring a SOC environment and preparing it for real-time log ingestion and analysis.