Elastic agent install error: already installed at: /opt/Elastic/Agent

Elastic Stack Elastic Agent
1

Hello,

I'm trying to enroll an agent on a healthy fleet server which is also an agent (what i've understood).

image
image2531×412 51.4 KB

I'm following the step by step guide from kibana interface in integration panel (see the image below)

I've got the following error when i follow the command from the kibana interface: 3) Install Elastic Agent on your host:

nicop@nicop-IdeaPad-5-Pro-14ARH7:~/elastic-agent-8.6.2-linux-x86_64$ sudo ./elastic-agent install --url=http://127.0.0.1:8220 --enrollment-token=TzZPNDdvWUIxYnhnNWdaOXpwSlI6bjhFNV9DaHVUY0szRUpXXXXXXX==
Error: already installed at: /opt/Elastic/Agent
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.6/fleet-troubleshooting.html

Here is the output of sudo netstat -tulpn | grep LISTEN comand:

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      965/mariadbd        
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      612/systemd-resolve 
tcp        0      0 0.0.0.0:9300            0.0.0.0:*               LISTEN      25352/docker-proxy  
tcp        0      0 0.0.0.0:9600            0.0.0.0:*               LISTEN      25579/docker-proxy  
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1007/cupsd          
tcp        0      0 127.0.0.1:8221          0.0.0.0:*               LISTEN      36713/fleet-server  
tcp        0      0 0.0.0.0:9200            0.0.0.0:*               LISTEN      25370/docker-proxy  
tcp        0      0 0.0.0.0:50000           0.0.0.0:*               LISTEN      25538/docker-proxy  
tcp        0      0 127.0.0.1:6791          0.0.0.0:*               LISTEN      36277/elastic-agent 
tcp        0      0 127.0.0.1:6789          0.0.0.0:*               LISTEN      36277/elastic-agent 
tcp        0      0 127.0.0.1:6666          0.0.0.0:*               LISTEN      861/python          
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      876/redis-server 12 
tcp        0      0 127.0.0.1:6463          0.0.0.0:*               LISTEN      5417/Discord --type 
tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      25519/docker-proxy  
tcp        0      0 0.0.0.0:5044            0.0.0.0:*               LISTEN      25601/docker-proxy
2

Hi @Nicolas_Pelletier
Welcome to the community!

Since it looks like your are doing this all on one host / laptop just add another integration to the fleet policy... Not adding a whole another agent.

Just 1 agent per host with Multiple integrations

Fleet happens to be 1 integration... A special one but it technically just an integration...

So try to just add another integration from the Fleet - Agent - Fleet Policy... add another integration to that policy, you can rename the policy if you like.

In a normal use case you would be installing Fleet on one host and the installing/ using the agent to ship telemetry from other hosts.. but you are doing an all in one....

Hope this makes sense

3

Hello Stephen,

Thanks for your answer,

What i'm trying to do is to integrate IOC's from MISP into ELK to take advantage of the Kibana dashboard .

Here are the integration policies that i've combined in an agent policy.

image
image2621×839 123 KB

So the next thing i need to do if i understand clearly is to create either a fleet server that play the role of an agent with this policies included or a standalone agent with these polices included as well.

Which one do you think it's the best for my use case (benefit from the MISP and Threat utilities dashboard) ?

----------- Post Update ------------

So once i've connect the fleet server to Kibana it's the only thing that i need to do ?
The MISP and Threat intelligence Utilities integration policies are attach the fleet-server-policy.

image
image2735×1536 350 KB

4

Either way but just 1 agent per host...

Just to clarify so terminology

You will install an additional fleet managed agent on another host.

The term standalone in the context of Elastic Agent mean non-fleet managed

A common architecture is to put the fleet server on the same server as Kibana or on a separate VM it is not typically on the agent where the source is

I am not an expert on MISP perhaps someone else is or open a separate topic just on that.

5

Thank you for your answer and all these precisions.

Unfortunately i can't see any logs from the fleet server with the following integrations.

image
image2735×1536 287 KB

When i look at log of elastic agent (which have the fleet server policy) i see these error logs:

{"log.level":"error","@timestamp":"2023-03-18T17:20:51.271+0100","message":"Failed to connect to backoff(elasticsearch(http://elasticsearch:9200)): Get \"http://elasticsearch:9200\": lookup elasticsearch: Temporary failure in name resolution","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"}
{"log.level":"error","@timestamp":"2023-03-18T17:20:51.272+0100","message":"Error dialing lookup elasticsearch: Temporary failure in name resolution"

It seems that the elastic Agent can't communicate with Elasticsearch.
Do you know if there is any config file where we can change the elasticsearch host from http://elasticsearch:9200 to http://localhost:9200 ?

It seems according to the documentation of elastic-agent configuration that in the elastic-agent.reference.yml file there is an output part that can do that:


######################################
# Fleet configuration
######################################
outputs:
  default:
    type: elasticsearch
    hosts: [127.0.0.1:9200]
    api-key: "example-key"
    # username: "elastic"
    # password: "changeme"

inputs:

But i don't see this part in the /opt/Elastic/Agent/elastic-agent.yml. Is it because it's an elastic agent with a fleet-server policy attach to it ?

1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.