📘 Part 1: How to Create Enrollment Token Through Fleet Server to Collect Windows System Logs

Before we begin, let's understand some key concepts.

What is Fleet Server?

Fleet Server is a component that connects Elastic Agent to Fleet. It supports many Elastic Agent connections and serves as

• Updating agent policies
• Collection status information
• Coordinating actions across Elastic Agents
• Scalable architecture
• Official documentation LINK

Architecture Diagram

1. When a new agent policy is created, the fleet UI saves the policy to a fleet index in Elasticsearch.
2. To enroll in the policy, Elastic Agents send a request to Fleet Server, using the enrollment key generated for authentication.
3. Fleet Server monitors fleet indices, picks up the new agent policy from Elasticsearch, and then ships the policy to all Elastic Agents enrolled in that policy. Fleet Server may also write updated policies to the Fleet index to manage coordination between agents.
4. Elastic Agent uses configuration information in the policy to collect and send data to Elasticsearch.
5. Elastic Agent checks in with Fleet Server for updates and maintains an open connection.
6. When a policy is updated, Fleet Server retrieves the updated policy from Elasticsearch and sends it to the connected Elastic Agents.
7. To communicate with Fleet about the status of Elastic Agents and the policy rollout, Fleet Servers writes to fleet indices.

What is Elasticsearch Agent?

Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can protect

• Host from Security threats
• Query data from Operating System
• Forward data from remote services or hardware.
• Official documentation LINK and Elasticsearch Agent installation LINK

Architecture diagram

Now we are moving towards to how to create enrollment token for the Windows system

Step 1: Log in into your Kibana Console

Step 2: Click on the eui-Icon

Step 3: Scroll down below to the Management section and Click on Fleet

After clicking on Fleet, the Fleet UI will be in front of you.

Step 4: Click on Agent policies

Step 5: Click on Create agent policy

Step 6: Enter the agent policy Name and then click on Create agent policy

Note: I am not going to Advanced options

Now policy has been created

Step 7: Click on • • • below Actions.

then click on Add agent

Note: We didn't added Fleet Server, so now we are adding a Fleet Server

Step 8: Click on the Add Fleet Server

Step 9: Enter Name (should be hostname) and URL (where you are installing elastic Agent)

NOTE: The name and URL must be the host system that is sending logs towards our Elasticsearch.

Step 10: Click on Generate Fleet Server Policy.

Step 11: Token has generated Select Windows and click on copy icon 📋 to copy the token

Once you have copied the token we have put into the Windows system (open PowerShell in Administrator mode), in the next article we will cover that part.

• We will set up one Windows Server 2019.
• Installing agent on Windows Server 2019.
• In coming article, learn how to edit Group Policies

Conclusion

We explored how to create an enrollment token using Fleet Server to begin collecting logs from a Windows machine via the Elastic Agent. We started with an overview of how Fleet Server and Elastic Agent work together, then walked through the step-by-step process using the Kibana interface. This sets the foundation for scalable and secure log ingestion from Windows systems into the Elastic Stack.

SOC | SOC Platform | SIEM Engineer | Threat Intelligence | Threat hunting | IR | Detection Engineer | Cloud Security