Elastic Agent is Healthy, but no data streams

Hi, I'm running fleet managed elastic agent on Elastic 7.15.1. I've multiple agents running on Linux and Windows endpoints. All agents are showing healthy. On both Linux and Windows, custom certificate is added to system's trusted CA repository.

For encrypting traffic, followed the documentation: https://www.elastic.co/guide/en/fleet/current/secure-connections.html

Scenario 1. No certificate added using "ssl.certificate_authorities" under "Fleet Settings" in Kibana

  • Elastic Agents running on Linux are successfully ingesting data, but not the Windows one.

Scenario 2. Following this post: https://discuss.elastic.co/t/possible-bug-with-elastic-agent-ca-certificate-checks/267253, added the certificate under "ssl.certificate_authorities" in "Fleet Settings".

  • After doing so, started receiving the logs from Windows Endpoints as well, but ingestion rate for Linux dropped to less than half. For the Elastic Agent running on Linux, it is using the Palo Alto (syslog) Integration.

Can someone please help me understand what could be the potential cause behind this behavior? Second, I recently rotated the custom cert on all nodes, before rotation of certs all Elastic Agents (Windows and Linux) all were healthy and sending logs without providing the certificate under Fleet Settings "ssl.certificate_authorities".

Issue has been resolved. It was due to the fact, that I enabled almost 15+ Endpoints at once, which spiked the CPU to 100%, no resources left to process high volume of incoming data from SYSLOG.

Overall, it seems like a requirement to add the certificate under "Fleet Settings" in Kibana.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.