Fleet Server Deployment On-Premises
Deploying Fleet Server On-Premises:
To use Fleet for central management, you need a running and accessible Fleet Server. Deploying Fleet Server on-premises allows you to manage it independently, ensuring high availability, fault tolerance, and lifecycle management.
This option minimizes external traffic or requires air-gapped operations, such as adhering to data governance requirements or restricting agents to a private network. However, this approach requires you to manage your Elastic environment, which may be better if you prefer Elastic to handle these tasks.
Recommendations:
Deploy multiple Fleet Server instances and use a load balancer for scalability.
Utilize your organization’s certificates for secure connections to Elasticsearch.
Deployment Guidelines
1 . Compatibility Requirements:
Fleet Server is compatible with Elastic Stack 7.13+ and Elastic Cloud Enterprise 2.9+.
Maintain version alignment: Elasticsearch ≥ Fleet Server ≥ Elastic Agent.
Ensure Kibana is on the same minor version as Elasticsearch.
2. Prerequisites:
Obtain or generate a Certificate Authority (CA) certificate for TLS encryption.
Ensure network ports required for component communication are open and accessible.
Port Configuration:
Adding a Fleet Server:
- Initiate in Kibana:
Go to Fleet > Agents > Add Fleet Server.
Follow the guided setup using either Quick Start or Advanced options.
2. Advanced Configuration:
Select or create a Fleet Server policy to manage the Elastic Agent on the Fleet Server host.
If using custom TLS certificates, ensure that the specified URL matches the DNS name on the certificate.
It is advisable to generate a unique service token for each Fleet Server instance.
Use a load balancer to decouple the Fleet Server from specific hosts, ensuring scalable and resilient operations.
3. Installation Process:
Execute the elastic-agent install command to deploy the Fleet Server as a managed service, enrolling it in the selected Fleet Server policy.
Upon successful deployment, the Fleet Server will be listed in Kibana, ready for management like other agents.
Handling Installation Errors:
If you encounter issues during the installation process:
- Review Logs:
Check the installation logs for error messages. Logs can typically be found in /var/log/elastic-agent/elastic-agent.log or by using journalctl -u elastic-agent.service.
2. Common Issues & Solutions:
Network Connectivity: Ensure that the Fleet Server can reach Elasticsearch and Kibana on the appropriate network ports.
Certificate Issues:
x509 Certificate Validation Error: This error occurs when the certificate presented by the Fleet Server cannot be validated by the Elastic Agent.
Check Certificate Authority (CA): Ensure the CA certificate used to sign the Fleet Server certificate is trusted by the Elastic Agent. You may need to install the CA certificate on the system running the Elastic Agent.
DNS Name Mismatch: Verify that the Common Name (CN) or Subject Alternative Name (SAN) in the certificate matches the DNS name used in the connection string.
Certificate Expiry: Ensure that the certificate is not expired and is valid for the current date.
Intermediate Certificates: If using an intermediate CA, ensure that the entire certificate chain is provided and correctly configured.
Permission Errors: Run the installation command with appropriate permissions (e.g., using sudo).
3. Re-attempt Installation:
After addressing the identified issues, re-run the elastic-agent install command.
4. Seek Assistance:
If the problem persists, consult the Elastic documentation or seek support from Elastic’s community forums or customer support.
Post-Deployment Management:
Fleet Server settings can be updated at any time via Management > Fleet > Settings in Kibana.
Configure additional output destinations, and proxy URLs, and update the Fleet Server host URL as needed.
Troubleshooting:
If agents are not enrolling properly, verify the health status of the Fleet Server agent under the Agents tab in Kibana.
Reference:
https://www.elastic.co/guide/en/fleet/8.14/secure-connections.html
