Elastic Agent Is Failed to Start in Windows Server and Not Sending Data to Elastic Search

Dear Team,

I'm trying to integrate the windows server to ElK stack using fleet server , I have followed the steps as per the elk docs

I have generated selfsigned certificate for fleet server and from kibana --> Fleet --> addagent--> created the policy for windows server and it is generated a command to install the elastic agent on windows remote host when i try to install the agent agent enrollment to fleet is working fine but elastic agent is not starting and not shipping the logs to Elasticsearch if any one faced this issue please help me out i got struck on this since from one month

please find the error logs of elastic agent from windows server

{"log.level":"info","@timestamp":"2024-02-27T11:31:30.192Z","log.origin":{"file.name":"cmd/run.go","file.line":154},"message":"Elastic Agent started","log":{"source":"elastic-agent"},"process.pid":8028,"agent.version":"8.10.3","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.423Z","log.origin":{"file.name":"upgrade/rollback.go","file.line":113},"message":"agent is not upgradable, not starting watcher","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.424Z","log.origin":{"file.name":"cmd/run.go","file.line":241},"message":"APM instrumentation disabled","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.433Z","log.origin":{"file.name":"application/application.go","file.line":61},"message":"Gathered system information","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.448Z","log.origin":{"file.name":"application/application.go","file.line":67},"message":"Detected available inputs and outputs","log":{"source":"elastic-agent"},"inputs":["lumberjack","logstash/metrics","mssql/metrics","aws/metrics","azure/metrics","audit/file_integrity","packet","syslog","windows/metrics","containerd/metrics","rabbitmq/metrics","sql/metrics","log","o365audit","elasticsearch/metrics","kibana/metrics","docker/metrics","linux/metrics","oracle/metrics","activemq/metrics","cloudfoundry","kafka","mqtt","tcp","statsd/metrics","aws-s3","cometd","container","enterprisesearch/metrics","zookeeper/metrics","netflow","awsfargate/metrics","syncgateway/metrics","traefik/metrics","gcs","udp","cloudfoundry/metrics","http/metrics","fleet-server","synthetics/browser","apm","entity-analytics","iis/metrics","vsphere/metrics","audit/auditd","osquery","azure-eventhub","http_endpoint","gcp-pubsub","system/metrics","stan/metrics","etcd/metrics","synthetics/http","endpoint","cel","apache/metrics","prometheus/metrics","docker","redis","beat/metrics","kafka/metrics","nats/metrics","nginx/metrics","filestream","kubernetes/metrics","mongodb/metrics","uwsgi/metrics","unix","redis/metrics","synthetics/icmp","synthetics/tcp","azure-blob-storage","journald","audit/system","postgresql/metrics","haproxy/metrics","gcp/metrics","jolokia/metrics","memcached/metrics","aws-cloudwatch","httpjson","winlog","mysql/metrics"],"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.464Z","log.origin":{"file.name":"application/application.go","file.line":73},"message":"Determined allowed capabilities","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.698Z","log.origin":{"file.name":"application/application.go","file.line":130},"message":"Parsed configuration and determined agent is managed locally","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.714Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":74},"message":"Starting stats endpoint","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.714Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":76},"message":"Metrics endpoint listening on: 127.0.0.1:6791 (configured: http://localhost:6791)","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}","log":{"source":"elastic-agent"},"ecs.version":%221.6.0%22%7D/)
{"log.level":"error","@timestamp":"2024-02-27T11:31:30.762Z","log.logger":"control","log.origin":{"file.name":"server/server.go","file.line":84},"message":"unable to create listener: failed to listen on the named pipe \.\pipe\elastic-agent-d7be1a21f51d5a50c554c29384cb5e0a7dd8e01c00bee96dc2aaf976d3ffab47: open \.\pipe\elastic-agent-d7be1a21f51d5a50c554c29384cb5e0a7dd8e01c00bee96dc2aaf976d3ffab47: The system cannot find the path specified.","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-02-27T11:31:30.763Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":79},"message":"Stats endpoint (127.0.0.1:6791) finished: accept tcp 127.0.0.1:6791: use of closed network connection","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}

Please if any one know fix for this please do let me know

I found this part in the logs reporting a local connection error from the agent trying to open a socket for the service. Some points to note?

{"log.level":"error","@timestamp":"2024-02-27T11:31:30.762Z","log.logger":"control","log.origin":{"file.name":"server/server.go","file.line":84},"message":"unable to create listener: failed to listen on the named pipe \.\pipe\elastic-agent-d7be1a21f51d5a50c554c29384cb5e0a7dd8e01c00bee96dc2aaf976d3ffab47: open \.\pipe\elastic-agent-d7be1a21f51d5a50c554c29384cb5e0a7dd8e01c00bee96dc2aaf976d3ffab47: The system cannot find the path specified.","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}

1. Does the server have an antivirus solution that could be blocking the execution of the binary?
2. When installing the Elastic Agent, through a powershell command prompt, was this prompt with administrator permissions?
3. Whenever I install the Elastic Agent, I create an inbound rule in Windows Firewall to release the Elastic Agent application located in the C:\Programs Files\Elastic\Agent directory. Can you create this rule?
4. On the Fleet Server, what is the agent's status?

Hi Wagnes Souza,

Thanks for reply i'm struggling from month for this ,
1 yes antivirus is installed on that server
2 Yes i'm installing with admin permissions on powershell
3. i didn't create any rule if you don't mind can you please let me know how to allow this
4 in fleet server it is offline

Thank you waiting for your feed back on this

As you have an antivirus, check if it has a feature for creating a whitelist and enter the directory path corresponding to the Elastic Agent binary. Another alternative is to uninstall the Elastic Agent, disable the antivirus, install the elastic agent and then reactivate the antivirus. When uninstalling the elastic agent on your host, don't forget to remove it from the fleet server list.

To create the firewall rule in Windows:

1. Click on the Start menu and type Windows Firewall
2. Access advanced firewall settings
3. In rules inbound, on the right side, create a new rule
4. Select the Application option and enter the path where the Elastic Agent binary is installed C:\Programs Files\Agent\elastic-agent.exe

In one of the clients we served, his antivirus was interrupting the agent's communication with the fleet server. In any case, carry out the tests and see if it will work.

print1974×188 19.9 KB

Dear Wagner Souza,

Really thanks a lot for valuable feed back after your feed back I have tried to test in a server where antivirus is not installed then it worked fine for me now I'm able to get the logs of windows server.

Once Again a Big Thank you for giving your valuable time on the issue , it helped me a lot to overcome the one month of struggle

I'm happy to be able to help. Could you please mark the topic as resolved? Anything, I'm here to help.

Dear Wagner Souza,

sure i will mark as resolved once again thanks a lot

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.