Agent unhealthy after adding Network Packet Capture BETA integration

I added the "Network Packet Capture BETA" integration to a self managed 8.1.2 instance running on Ubuntu 20.04LTS. Shortly after adding that integration to one of the existing policies, fleet showed the agent status as unhealthy. Looking at the logs on the host, I found the following two entries repeated several times:

{"log.level":"error","@timestamp":"2022-04-19T17:51:18.987-0400","log.origin":{"file.name":"operation/operation_retryable.go","file.line":85},"message":"operation operation-verify failed, err: operation 'operation-verify' failed to verify packetbeat.8.1.2: 2 errors occurred:\n\t* fetching asc file from '/opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.asc': open /opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.asc: no such file or directory\n\t* open /opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.sha512: no such file or directory\n\n","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-04-19T17:51:18.987-0400","log.origin":{"file.name":"fleet/fleet_gateway.go","file.line":181},"message":"failed to dispatch actions, error: operator: failed to execute step sc-run, error: operation 'operation-verify' failed to verify packetbeat.8.1.2: 2 errors occurred:\n\t* fetching asc file from '/opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.asc': open /opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.asc: no such file or directory\n\t* open /opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.sha512: no such file or directory\n\n: operation 'operation-verify' failed to verify packetbeat.8.1.2: 2 errors occurred:\n\t* fetching asc file from '/opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.asc': open /opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.asc: no such file or directory\n\t* open /opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.sha512: no such file or directory\n\n","ecs.version":"1.6.0"}

Workaround:
Download the three packetbeat files manually to /opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/ on the host and restart the machine. The agent status returned back to healthy. I ran into the same issue on a windows host with a similar workaround.

Similar issue with Debian 11 (Bullseye) distro. Never seem to get Network Capture to work, it seems it isn't fully tested for a wide variety of distros

Hi,
I found a way for me to get arround.
I tested it on Windows but maybe it will also works for you.

I downloaded all the files directly from Elastic an copied it to the Download directory.
So in your case that would be:
/opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz
/opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.asc
/opt/Elastic/Agent/data/elastic-agent-6118f2/downloads/packetbeat-8.1.2-linux-x86_64.tar.gz.sha512

Elastic offers the asc and sha512 on the Downlaod Page along the sources.

For me it seems like the problem described inthis github-issue

Not sure what is causing the verification to fail, maybe in our case a company-firewall.
If you dig a bit deeper, it would be great to open up a Issue with more Informations.

Best,
Simon

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.