Hi all!
I need your help!
I have a self-hosted ELK (not cloud)
I've enrolled the Fleet Server for SIEM using this manual for a self-managed server with default parameters in elastic-agent.yml
I need to connect hosts to my elk using elk agents.
It looks like Fleet Server works well (netstat and kibana screenshots)
It is healthy and has a connection to elastic.
Iptables is ok (not using it because of cloud infra), the port is open
My infra hosted in the GCP
The firewall has been configured to allow connections inside the local network from target hosts to the fleet server.
If I make curl -k https://FLEET_SERVER:8220/api/status from the target machine to fleet
I’ll get {"name":"fleet-server","status":"HEALTHY"}
So it has a connect to the fleet, I think, am I?
what is the problem? or maybe you have any advice?
Because now I have no idea at all.
Also I've made tcpdump from two different host. maybe it'll be useful (can't attach the dump file)
But If I make curl -k https://FLEET_SERVER:8220/api/status from the target machine to Fleet Server I’ll get {"name":"fleet-server","status":"HEALTHY"}.
Fleet doesn't reject/reset my connection.
{"log.level":"error","@timestamp":"2021-10-12T10:22:39.984Z","log.origin":{"file.name":"fleet/fleet_gateway.go","file.line":205},"message":"Could not communicate with fleet-server Checking API will retry, error: fail to read original error: read tcp 10.65.0.207:45518->10.2.5.2:8220: read: connection reset by peer","ecs.version":"1.6.0"}
2021-10-12T10:47:29.604Z INFO cmd/enroll_cmd.go:354 Generating self-signed certificate for Fleet Server
2021-10-12T10:47:32.036Z INFO cmd/enroll_cmd.go:668 Waiting for Elastic Agent to start Fleet Server
2021-10-12T10:47:33.037Z INFO cmd/enroll_cmd.go:651 Waiting for Elastic Agent to start
2021-10-12T10:47:35.101Z INFO cmd/enroll_cmd.go:701 Fleet Server - Starting
2021-10-12T10:47:37.104Z INFO cmd/enroll_cmd.go:682 Fleet Server - Running on default policy with Fleet Server integration; missing config fleet.agent.id (expected during bootstrap process)
2021-10-12T10:47:37.690Z INFO cmd/enroll_cmd.go:414 Starting enrollment to URL: https://jumphost:8220/
Error: fail to enroll: fail to execute request to fleet-server: fail to decode enrollment response: context canceled
Error: enroll command failed with exit code: 1
if use installation command with HTTP, it'll be successfully installed and being healthy
I think maybe my previous way of installation (with HTTP) was wrong and it is why agents have no API connection to the fleet.
I would start from scratch for the server and the agents all on https and make sure your fleet settings is correct as well, to the correct protocol HTTPS
i would recommend using the same IP Address or DNS for the Fleet setting, the enrollment URL and connecting to the hosts. They are mismatched right now and therefore you bring in the element of having to troubleshoot your own network layers.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.