Enabling Elastic Agents Upgrades in Restricted or Closed Networks
In this article, we’ll explore how to configure the “Agent Binary Download” setting and set up your own artifact registry for binary downloads within a NetEye cluster.
Prerequisites
Before we begin, ensure you have the following prerequisites in place:
Your Elastic Agents can access https://YOURCLUSTERNAME/
Your Elastic Agents are Version 8.10.3 or higher
Configuring the “Agent Binary Download” Setting
Access NetEye
Log in to your NetEye instance
Navigate to Fleet Settings
Go to Fleet
Click on Settings
Add or edit the binary source
Under Agent Binary Download, click Add Agent Binary Source or Edit
Set a descriptive name for the binary source, like Elastic Artifacts on NetEye Cluster
Specify the address where you’ll host the artifacts repository (your custom registry), like: https://YOURCLUSTERNAME/neteyeshared/elasticdownload/
Make it the default (optional)
If you want to make this location the default for all agent policies, select Make this host the default for all agent policies
Save your changes
Hosting Your Own Artifact Registry
If routing traffic through a proxy server is not an option, you can host your own Elastic Package Registry. Here’s how:
Remember that your Apache Server is running on a single cluster-node
When changing something in /neteye/shared/httpd/, be sure to do it on the node which has httpd running (the node which actually owns the cluster IP)
When changing something in /etc/httpd/, change it on all cluster nodes
Create a Directory
Choose a location on your server where you want to host the artifacts. For example:
Tell your Apache installation to deliver everything from the folder /neteye/shared/httpd/neteyeshare/
#cat /etc/httpd/conf.d/neteye-share.conf # # This configuration file allows the NetEye client software to be accessed at # http://localhost/neteye-client-software/ # Alias /neteyeshare /neteye/shared/httpd/neteyeshare <Directory "/neteye/shared/httpd/neteyeshare"> Options Indexes #Formatting improvement of index view IndexOptions FancyIndexing FoldersFirst HTMLTable VersionSort NameWidth=* AllowOverride all Order allow,deny Allow from all Require all granted </Directory>
Restart Apache
pcs resource restart httpd
Make sure your elastic-agent client machines trust the HTTPS server certificate of your cluster
For Windows clients, manage this by filling the Microsoft certificate store appropriately (see certlm.msc)
For Linux clients, see /etc/pki/tls/certs/ca-bundle.crt or the appropriate procedure for the distribution you use
Update NetEye Configuration
Edit NetEye Configuration
On your NetEye cluster, update the Agent Policy configuration to point to the new artifact location
Modify the Agent Policy ⇒ “Agent Binary Download” setting to use the previously configured Elastic Artifacts on NetEye Cluster
Test Connectivity
Verify that NetEye agents can download the required binaries from the Apache directory
Conclusion
By hosting your Elastic artifacts via an existing NetEye Apache server, you can upgrade Elastic agents without needing to give them access to the internet.
By configuring the “Agent Binary Download” setting and hosting your own artifact registry, you can ensure that Elastic Agents in your NetEye cluster have access to the required binaries, even in restricted or closed networks.
These Solutions are Engineered by Humans
Did you read this article because you’re knowledgeable about networking? Do you have the skills necessary to manage networks? We’re currently hiring for roles like this as well as other roles here at Würth Phoenix.
Hey everyone! We played around a bit last time with our radar data to build a model that we could train outside Elasticsearch, loading it through Eland and then applying it using an ingest pipeline. But since our data is Read More
Right now, at Würth Phoenix, we are investing in automating most of our operations using Ansible. You're probably already familiar with what Ansible does, but to summarize, Ansible is an open-source, command-line IT automation application written in Python. I've talked Read More
OpenShift already has a built-in monitoring suite with Prometheus, Grafana, and Alertmanager. This is all well and good, but what if organizations want to monitor their entire infrastructure, integrating all monitoring results under one umbrella? In this case, it's necessary Read More
Hey everyone! As you may remember, we took a look in the past at how it's possible to use a model (trained directly in Elasticsearch) to perform some real time classification by using an ingest pipeline. But... what if we Read More
Scenario GLPI is integrated into NetEye and provides powerful asset management solutions. Usually GLPI agents are deployed on servers and clients: this way an up-to-date asset inventory is kept within NetEye. The GLPI package also provides a tool able to Read More