Elastic-agent cannot configure filebeat error "failed for nwparser.icmp_code"

jerrac · June 30, 2022, 3:39pm

The Elastic Agent that I have assigned to my Fleet server policy cannot configure it's Filebeat instance.

This is version 8.2.3 on Ubuntu 18.04.

elastic-agent status gives me:

Status: FAILED
Message: (no message)
Applications:
  * fleet-server  (HEALTHY)
                  Running on policy with Fleet Server integration: b647fff0-c58b-11eb-91dd-136c7f4a9d5f
  * filebeat      (FAILED)
                  1 error occurred:
                  * 2 errors: Error creating runner from config: failed in processor.javascript: failed in test() function: failed for nwparser.icmp_code: expected:'1' got:'null' at inline.js:2502:19(25); Error creating runner from config: failed in processor.javascript: failed in test() function: failed for nwparser.icmp_code: expected:'1' got:'null' at inline.js:2502:19(25)


  * metricbeat             (HEALTHY)
                           Running
  * filebeat_monitoring    (HEALTHY)
                           Running
  * metricbeat_monitoring  (HEALTHY)
                           Running

I spent a good while searching for answers and couldn't find any.

I also tried reinstalling the agent from scratch. I even removed all integrations from the policy except the fleet server integration.

I have other 8.2.3 agents running just fine on other servers. So I don't think it's a bug...

Anyone have any ideas?

jsoriano · July 4, 2022, 12:14pm

This is interesting because I think that the fleet server integration doesn't use any javascript processor.

Can you check what configuration is being used by this node, with elastic-agent inspect?

jerrac · July 5, 2022, 4:20pm

Well, that's a lot of output... 4300+ lines...

And it looks like the agent is still trying to use integrations I removed from the policy.

I see all of these in there:

apache
fortinet
system
a custom log pointed at my postfix logs
auditd
fleet server

The string "nwparser.icmp_code" shows up in the fortinet config...

How do I get the agent to drop that old config?

jerrac · July 5, 2022, 4:57pm

Looks like moving /opt/Elastic/Agent/data/elastic-agent-< random chars >/state.yml away and restarting fixed it. Well, after I fixed some other misconfiguration.

system · August 2, 2022, 6:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic Agent with fleet policy refuses to start properly Beats fleet	2	1114	July 19, 2022
Fleet managed Elastic Agent - Wrong ES output configuration for Filebeat/Metricbeat Beats fleet	2	1320	March 29, 2022
Beats in elastic-agent reporting "failed to connect to backoff" Beats fleet , filebeat	6	9986	May 11, 2022
Filebeat.sock file do not exists anymore when deploy and configure elastic-agent using Ansible Beats fleet , filebeat , elastic-agent	14	872	May 9, 2022
Fleet agent Logs fleet	7	2695	April 13, 2022

Elastic-agent cannot configure filebeat error "failed for nwparser.icmp_code"

Related topics