08. 11. 2024 Reinhold Trocker Log Management, Log-SIEM

Configuring EnvironmentFile for Elastic Agents on NetEye Nodes

When deploying Elastic Agents, the method of installation can affect the configuration of the systemd service file. Specifically, tgz deployments of Elastic Agents include the line EnvironmentFile=-/etc/sysconfig/elastic-agent in their systemd configuration (elastic-agent.service). However, Elastic Agents installed on NetEye nodes via RPM packages do not include this EnvironmentFile line by default.

Adding the EnvironmentFile on NetEye Nodes

To configure the standard EnvironmentFile on NetEye nodes, you have two options:

Option A: Manual Configuration

  1. Open the Terminal: Start by opening your terminal.
  2. Edit the Service File: Use a text editor to open the elastic-agent.service file located in /etc/systemd/system/:
    sudo nano /etc/systemd/system/elastic-agent.service
  3. Add the EnvironmentFile Line: Add the following line under the [Service] section:
    [Service]
    EnvironmentFile=-/etc/sysconfig/elastic-agent
  4. Save and Exit: Save the changes and exit the editor.
  5. Reload the Systemd Daemon: Apply the changes by reloading the systemd daemon:
    sudo systemctl daemon-reload
  6. Restart the Elastic Agent Service: Restart the Elastic Agent service:
    sudo systemctl restart elastic-agent

Option B: One-liner with Base64 Patch File

Alternatively, you can use a one-liner to apply a patch file encoded in base64. Here’s how:

Create the Patch File: First, create a patch file that adds the EnvironmentFile line. Save it as elastic-agent.patch:

***************
*** 7,8 ****
--- 7,9 ----
  [Service]
+ EnvironmentFile=-/etc/sysconfig/elastic-agent
  Environment="GODEBUG='madvdontneed=1'"

Encode the Patch File in Base64: Encode the patch file:

# base64 -w0 elastic-agent.patch
KioqKioqKioqKioqKioqCioqKiA3LDggKioqKgotLS0gNyw5IC0tLS0KICBbU2VydmljZV0KKyBFbnZpcm9ubWVudEZpbGU9LS9ldGMvc3lzY29uZmlnL2VsYXN0aWMtYWdlbnQKICBFbnZpcm9ubWVudD0iR09ERUJVRz0nbWFkdmRvbnRuZWVkPTEnIgo=

Apply the Patch Using a One-liner: Use the following one-liner to decode and apply the patch:

echo "KioqKioqKioqKioqKioqCioqKiA3LDggKioqKgotLS0gNyw5IC0tLS0KICBbU2VydmljZV0KKyBFbnZpcm9ubWVudEZpbGU9LS9ldGMvc3lzY29uZmlnL2VsYXN0aWMtYWdlbnQKICBFbnZpcm9ubWVudD0iR09ERUJVRz0nbWFkdmRvbnRuZWVkPTEnIgo=" | base64 --decode | sudo patch /etc/systemd/system/elastic-agent.service

Conclusion

By following either of these methods, you can ensure that the EnvironmentFile is properly configured for Elastic Agents on NetEye nodes. This configuration helps maintain consistency and ensures that your Elastic Agents run with the necessary environment settings.

This has been necessary, in order to set document fields based on environment variables, also on NetEye nodes. Please see Categories of Documents – Create More Namespaces within an Agent’s Environment

Reinhold Trocker

Reinhold Trocker

IT professional, IT security, (ISC)2 CISSP, technical consultant

Author

Reinhold Trocker

IT professional, IT security, (ISC)2 CISSP, technical consultant

Latest posts by Reinhold Trocker

24. 10. 2024 Log Management, Log-SIEM
Categories of Documents – Create More Namespaces within an Agent’s Environment
16. 02. 2024 Log-SIEM, NetEye
Enabling Elastic Agents Upgrades in Restricted or Closed Networks
19. 10. 2023 Log Management, Log-SIEM
Integration of Elasticsearch Clients without Authentication and without TLS
12. 10. 2023 Log Management, Log-SIEM
stunnel TCP keepalive Settings Preventing Firewall from Blocking Log Traffic
See All

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive