08. 11. 2024 Reinhold Trocker Log Management, Log-SIEM

Configuring EnvironmentFile for Elastic Agents on NetEye Nodes

When deploying Elastic Agents, the method of installation can affect the configuration of the systemd service file. Specifically, .tgz deployments of Elastic Agents include the line EnvironmentFile=-/etc/sysconfig/elastic-agent in their systemd configuration (elastic-agent.service). However, Elastic Agents installed on NetEye nodes via RPM packages do not include this line in the EnvironmentFile by default.

Adding the EnvironmentFile on NetEye Nodes

To configure the standard EnvironmentFile on NetEye nodes, you have two options:

Option A: Manual Configuration

  1. Open the terminal: Start by opening your terminal
  2. Edit the service file: Use a text editor to open the elastic-agent.service file located in /etc/systemd/system/:
    sudo nano /etc/systemd/system/elastic-agent.service
  3. Add the EnvironmentFile Line: Add the following line under the [Service] section:
    [Service]
    EnvironmentFile=-/etc/sysconfig/elastic-agent
  4. Save and exit: Save the changes and exit the editor
  5. Reload the systemd daemon: Apply the changes by reloading the systemd daemon:
    sudo systemctl daemon-reload
  6. Restart the Elastic Agent service: Restart the Elastic Agent service:
    sudo systemctl restart elastic-agent

Option B: Create and apply a base64 patch file

Alternatively, you can use 3 quick commands to apply a patch file encoded in base64. Here’s how:

Create the patch file: First, create a patch file that adds the EnvironmentFile line. Save it as elastic-agent.patch:

***************
*** 7,8 ****
--- 7,9 ----
  [Service]
+ EnvironmentFile=-/etc/sysconfig/elastic-agent
  Environment="GODEBUG='madvdontneed=1'"

Encode the patch file in base64: Encode the patch file:

# base64 -w0 elastic-agent.patch
KioqKioqKioqKioqKioqCioqKiA3LDggKioqKgotLS0gNyw5IC0tLS0KICBbU2VydmljZV0KKyBFbnZpcm9ubWVudEZpbGU9LS9ldGMvc3lzY29uZmlnL2VsYXN0aWMtYWdlbnQKICBFbnZpcm9ubWVudD0iR09ERUJVRz0nbWFkdmRvbnRuZWVkPTEnIgo=

Apply the patch using a one-liner: Use the following command to decode and apply the patch:

echo "KioqKioqKioqKioqKioqCioqKiA3LDggKioqKgotLS0gNyw5IC0tLS0KICBbU2VydmljZV0KKyBFbnZpcm9ubWVudEZpbGU9LS9ldGMvc3lzY29uZmlnL2VsYXN0aWMtYWdlbnQKICBFbnZpcm9ubWVudD0iR09ERUJVRz0nbWFkdmRvbnRuZWVkPTEnIgo=" | base64 --decode | sudo patch /etc/systemd/system/elastic-agent.service

Conclusion

By following either of these methods, you can ensure that the EnvironmentFile is properly configured for Elastic Agents on NetEye nodes that use systemd. This configuration helps maintain consistency and ensures that your Elastic Agents run with the necessary environment settings.

This was necessary in order to set document fields based on environment variables, including on NetEye nodes. Please see Categories of Documents – Create More Namespaces within an Agent’s Environment

These solutions are engineered by humans

Did you find this article interesting? Are you an “under the hood” kind of person? We’re really big on automation and we’re always looking for people in a similar vein to fill roles like this one as well as other roles here at Würth Phoenix.

Reinhold Trocker

Reinhold Trocker

IT professional, IT security, (ISC)2 CISSP, technical consultant

Author

Reinhold Trocker

IT professional, IT security, (ISC)2 CISSP, technical consultant

Leave a Reply

Your email address will not be published. Required fields are marked *

Archive