Elastic Agent service stops after launching but doesn't throw any error in command line

Hi,

I set up a Fleet environment and tested multiple integrations of Elastic Agent on Linux and Windows machines without any problem, but there is a specific Windows machine where it does not work, and I couldn't find the reason.

I downloaded and extracted Elastic Agent 7.10.1 zip for Windows and executed this Fleet enrollment command from PowerShell, finishing without errors, and the host appears as enrolling in Kibana.
.\elastic-agent.exe install -f --kibana-url=XXX --enrollment-token=XXX --insecure

So far, so good. But when I go to services.msc, Elastic Agent service appears stopped, and forcing start results in "Error 1067: The process terminated unexpectedly.". In Kibana, this particular host shows as enrolling forever.

There are no logs in Elastic Agent's install folder, so I can't find what is causing this error. Starting service from PowerShell doesn't throw any error either, but the 'Get-Service' command shows it as stopped.

If I run Elastic Agent with .\elastic-agent.exe run, it works perfectly fine, but not as a service, so I have to manually launch it every time.

Why could this be happening?
Thank you in advance.

You mentioned you don't have any logs. So there is nothing in data/elastic-agent-*/logs/*?

Can you think of anything special with this windows machine? Different OS? Different security software installed?

Hi! Same problem here.

OS

  • Windows Server 2019 - 1803 (17763.1637)
  • License: Standard
  • Loggin with administrator domain account.

Installation

(Powershell)

.\elastic-agent.exe install -f --kibana-url=https://XXX:5601 --enrollment-token=XXX --certificate-authorities="XXX-allca.cert.pem"

Output

The Elastic Agent is currently in BETA and should not be used in production

2021-01-12T10:00:18.975+0100 DEBUG [tls] tlscommon/tls.go:172 Successfully loaded CA certificate: XXX-allca.cert.pem
2021-01-12T10:00:18.986+0100 DEBUG kibana/client.go:170 Request method: POST, path: /api/fleet/agents/enroll
Successfully enrolled the Elastic Agent.
Installation was successful and Elastic Agent is running.

Logs after installation

C:\Program Files\Elastic\Agent\data\elastic-agent-1da173\logs\elastic-agent-json.log

{"log.level":"debug","@timestamp":"2021-01-12T10:00:18.975+0100","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls.go","file.line":172},"message":"Successfully loaded CA certificate: XXX-allca.cert.pem","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2021-01-12T10:00:18.986+0100","log.origin":{"file.name":"kibana/client.go","file.line":170},"message":"Request method: POST, path: /api/fleet/agents/enroll","ecs.version":"1.6.0"}

Service Status

(PowerShell)

get-service elastic*

Status Name DisplayName


Stopped Elastic Agent Elastic Agent

Try to start service from command line

start-service "Elastic Agent"

C:\Program Files\Elastic\Agent\data\elastic-agent-1da173\logs\elastic-agent-json.log - No news logs
image

Try to start service from UI

image

Conclusions

The service don't work properly. I try to change the 'path' of the service but this doesn't seem to be the problem. If I start it manually from a terminal line it works fine. We have some workarround?

Thanks you.

Hi,

In data/elastic-agent-*/logs/ folder there's only a log file with 2 entries, resulting from running install command. There is no default folder for filebeat and metricbeat logs either.

This is the content of elastic-agent-json.log

{"log.level":"debug","@timestamp":"2021-01-12T14:43:26.050+0100","log.origin":{"file.name":"kibana/client.go","file.line":170},"message":"Request method: POST, path: /api/fleet/agents/enroll","ecs.version":"1.6.0"}

{"log.level":"warn","@timestamp":"2021-01-12T14:43:26.051+0100","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":93},"message":"SSL/TLS verifications disabled.","ecs.version":"1.6.0"}

As @dgcapel said, this file does not change at all after restarting service, nor create new log files.

I noticed in other hosts a log file is created in C:\Program Files\Elastic\Agent\elastic-agent.log but no matter what it is not created in this host. It only shows up when running Elastic Agent from terminal (with run option).

For additional information I'm running Windows 10 Enterprise N, but this hasn't been an issue in other hosts.

Thank you.

Something is off here but not sure what yet. Any chance one of you could file an issue in https://github.com/elastic/beats for this issue so we can track this?

can you check C:/Program Files/Elastic/Agent/elastic-agent.exe this should be a symlink/shrotcut, does the path it points to seems correct?

Will try to file this issue later

Yes, C:/Program Files/Elastic/Agent/elastic-agent.exe exists, and its a symlink to C:/Program Files/Elastic/Agent/data/elastic-agent-1da173/elastic-agent.exe.
Executing Elastic Agent from command line / powershell works fine, it seems an issue with the Windows service.

if you could include logs into an issue, even from event log if that is possible this would be extremely helpful

Hi,

@Michal_Pristas, there is nothing in Windows event log related to Elastic Agent process, only reporting it failed but no more information provided.

I forgot to file the issue, but I found a little bit more about this problem.

Looks like the issue is related to the service permissions, since I was able to start it by setting Elastic Agent service's login option to the administrator user I registered it with. If this option is set to local system, it won't start. This only happens in my local machine, some View clients are working fine with local system account.

Do you know any Windows domain account option that could be producing this behaviour?

Thank you