Elastic-agent 8.17.7: logs are not being harvested from .log files on Windows host

stephenb · June 28, 2025, 12:22am

Lets Back Up ... exactly how did you install Elastic Agent?

Did you follow the guided Installation from the Fleet UI?

It should look something like

$ProgressPreference = 'SilentlyContinue'
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.18.3-windows-x86_64.zip -OutFile elastic-agent-8.18.3-windows-x86_64.zip 
Expand-Archive .\elastic-agent-8.18.3-windows-x86_64.zip -DestinationPath .
cd elastic-agent-8.18.3-windows-x86_64
.\elastic-agent.exe install --url=https://sadfasdfasdfb3bd74c467.fleet.us-west1.gcp.cloud.es.io:443 --enrollment-token=asdfasdfasdfsh5NUk6dk9NUkphaUZRU0MwYWotZTIzdTU1Zw==

And if so if should install the Agent in

    Directory: C:\Program Files\Elastic\Agent


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         3/12/2025   3:10 AM                data
d-----         1/13/2025   7:36 PM                vault
-a----         1/13/2025   7:36 PM             41 .build_hash.txt
-a----         2/28/2025   5:54 PM              6 .elastic-agent.active.commit
-a----         1/13/2025   7:36 PM              0 .installed
-a----         6/24/2025  12:19 PM       20972015 elastic-agent-20250623-1.ndjson
-a----         6/25/2025   1:07 AM       20971666 elastic-agent-20250624.ndjson
-a----         6/26/2025   2:44 AM       20972114 elastic-agent-20250625-1.ndjson
-a----         6/25/2025   1:56 PM       20973411 elastic-agent-20250625.ndjson
-a----         6/27/2025   4:21 AM       20972958 elastic-agent-20250626-1.ndjson
-a----         6/26/2025   3:32 PM       20972571 elastic-agent-20250626.ndjson
-a----         6/28/2025  12:18 AM       11719442 elastic-agent-20250627-1.ndjson
-a----         6/27/2025   5:09 PM       20973053 elastic-agent-20250627.ndjson
-a---l         2/28/2025   5:54 PM              0 elastic-agent.exe
-a----         1/13/2025   7:36 PM          14829 elastic-agent.reference.yml
-a----         1/13/2025   7:36 PM           1947 elastic-agent.yml
-a----         1/13/2025   7:36 PM          12306 elastic-agent.yml.2025-01-13T19-36-59.6439.bak
-a----         6/11/2025   3:20 AM            735 fleet.enc
-a----         1/13/2025   7:36 PM              0 fleet.enc.lock
-a----         1/13/2025   7:36 PM          13675 LICENSE.txt
-a----         1/13/2025   7:36 PM        3388637 NOTICE.txt
-a----         1/13/2025   7:36 PM            643 otel.yml
-a----         1/13/2025   7:36 PM             88 otelcol.ps1
-a----         1/13/2025   7:36 PM            351 README.md
-a----         2/28/2025   5:54 PM              0 watcher.lock


PS C:\Program Files\Elastic\Agent>

Also if you dig deep into that error above

	"message": "2025-06-27 22:52:48,950 WARN  [0x0000306c] myapp.secevent - (112) Server connection failed secure handshake. User: . Target: . Client: 192.168.1.111:52179.",

I think the agent is not connecting to elasticsearch

Data is sent to Elasticsearch Typically :9200 not the Fleet Endpoint :8220 you may have a FW issues OR you default output for the Policy is not set up correct....

How did you set up Fleet? What does this look like on the Policy

Topic		Replies	Views
Elastic Agent System integration not collecting Windows Event Log Beats docker , fleet	2	3547	January 13, 2023
I am not seeing any logs from elastic-agent from windows hosts Elastic Security fleet	4	582	November 4, 2021
Elastic Agent Custom Windows Event Logs Beats winlogbeat	5	4418	June 15, 2022
Do not recieve sysmon log from the Windows Integration in elastic agent Endpoint Security	8	2577	December 6, 2021
Filebeat seems not interact with Logstash - Windows Beats filebeat	12	5340	July 5, 2017

Elastic-agent 8.17.7: logs are not being harvested from .log files on Windows host

Related topics