Agent unhealthy - Defend - failed install endpoint service - Exit status 213

W00glin · May 9, 2024, 3:47pm

Hello,

Running into this issue across a couple of agents we have in the fleet. Normally when I run into agent issues, I just uninstall and reinstall and the issues are removed. However this issue has been persistent across a number of hosts. Here is the specific error -

And the specific error -

failed install endpoint service: 2024-05-09 15:26:47: debug: file.cpp:453 

Removing [C:Program Files\Elastic\Agent\data\elastic-agent-de80b0\components\previous\elastic-endpoint.exe]: exit status 213

On this machine I did try to uninstall the agent initially and I ran into a generic error - checking the documentation did not provide an answer/solution. I rebooted the machine and attempted to uninstall again, it was successful, but did leave some artifacts in the C:\Program Files\Elastic directory on the drive, so to be safe I manually removed those.

Then I re-ran the installation script with the -f to force the install. And how I am getting these errors. Here are some of the logs from the agent itself -

11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:103 Failed to move C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml to C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.95
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:91 Attempting to resolve file collision on C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml with C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.96
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: info: File.cpp:591 Renaming C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml => C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.96
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:103 Failed to move C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml to C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.96
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:91 Attempting to resolve file collision on C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml with C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.97
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: info: File.cpp:591 Renaming C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml => C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.97
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:103 Failed to move C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml to C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.97
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:91 Attempting to resolve file collision on C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml with C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.98
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: info: File.cpp:591 Renaming C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml => C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.98
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:103 Failed to move C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml to C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.98
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:91 Attempting to resolve file collision on C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml with C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.99
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: info: File.cpp:591 Renaming C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml => C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.99
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: Internal.cpp:103 Failed to move C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml to C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml.99
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: error: Internal.cpp:145 Unable to overwrite C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml during installation.
11:26:47.228
elastic_agent
[elastic_agent][error] 2024-05-09 15:26:47: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Agent\data\elastic-agent-de80b0\components\previous\elastic-endpoint.exe]
11:26:47.252
elastic_agent
[elastic_agent][error] failed accept conn info connection: accept tcp 127.0.0.1:6788: use of closed network connection
11:26:47.253
elastic_agent
[elastic_agent][error] Component state changed endpoint-default (STARTING->FAILED): failed install endpoint service: 2024-05-09 15:26:47: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Agent\data\elastic-agent-de80b0\components\previous\elastic-endpoint.exe]: exit status 213
11:26:47.253
elastic_agent
[elastic_agent][error] Unit state changed endpoint-default-6d91e0e4-3c82-4388-ae90-700953c004c1 (STARTING->FAILED): failed install endpoint service: 2024-05-09 15:26:47: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Agent\data\elastic-agent-de80b0\components\previous\elastic-endpoint.exe]: exit status 213
11:26:47.253
elastic_agent
[elastic_agent][error] Unit state changed endpoint-default (STARTING->FAILED): failed install endpoint service: 2024-05-09 15:26:47: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Agent\data\elastic-agent-de80b0\components\previous\elastic-endpoint.exe]: exit status 213

Any ideas what the issue is? Or how it might be resolved? I found similar issues here and here but the one resolution did not work and the other has been unanswered.

Ben_McNichols · May 13, 2024, 1:45pm

Hi @W00glin,

Sorry to hear you're having this issue. A 213 status code translates to "Installation failure from pre-existing files". It appears from the log fragment provided that the uninstall as part of an upgrade might have failed to remove the preexisting files. If you'd be willing to provide the full Agent log that might include additional context from before the failures to delete and move these files, I should be able to help figure out what happened. I'll direct message you a link to securely provide the logs.

Thanks!

W00glin · May 13, 2024, 2:38pm

Just replied to your DM and uploaded the agent logs. I figured the error was related to a previously failed upgrade/removal but was not entirely sure.

system · June 10, 2024, 2:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.