Elastic-agent cannot configure filebeat error "failed for nwparser.icmp_code"

Elastic Stack Beats
,
1

The Elastic Agent that I have assigned to my Fleet server policy cannot configure it's Filebeat instance.

This is version 8.2.3 on Ubuntu 18.04.

elastic-agent status gives me:

Status: FAILED
Message: (no message)
Applications:
  * fleet-server  (HEALTHY)
                  Running on policy with Fleet Server integration: b647fff0-c58b-11eb-91dd-136c7f4a9d5f
  * filebeat      (FAILED)
                  1 error occurred:
                  * 2 errors: Error creating runner from config: failed in processor.javascript: failed in test() function: failed for nwparser.icmp_code: expected:'1' got:'null' at inline.js:2502:19(25); Error creating runner from config: failed in processor.javascript: failed in test() function: failed for nwparser.icmp_code: expected:'1' got:'null' at inline.js:2502:19(25)


  * metricbeat             (HEALTHY)
                           Running
  * filebeat_monitoring    (HEALTHY)
                           Running
  * metricbeat_monitoring  (HEALTHY)
                           Running

I spent a good while searching for answers and couldn't find any.

I also tried reinstalling the agent from scratch. I even removed all integrations from the policy except the fleet server integration.

I have other 8.2.3 agents running just fine on other servers. So I don't think it's a bug...

Anyone have any ideas?

2

This is interesting because I think that the fleet server integration doesn't use any javascript processor.

Can you check what configuration is being used by this node, with elastic-agent inspect?

3

Well, that's a lot of output... 4300+ lines...

And it looks like the agent is still trying to use integrations I removed from the policy.

I see all of these in there:

  • apache
  • fortinet
  • system
  • a custom log pointed at my postfix logs
  • auditd
  • fleet server

The string "nwparser.icmp_code" shows up in the fortinet config...

How do I get the agent to drop that old config?

4

Looks like moving /opt/Elastic/Agent/data/elastic-agent-< random chars >/state.yml away and restarting fixed it. :slight_smile: Well, after I fixed some other misconfiguration.

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.