End point security fails for Elastic Agent with error "Missed two check-ins"

When I install elastic-agent and fleet-server against a successfully running https/SSL Elasticsearch and Kibana.....The output indicates a successful start and enrolment but a few minutes later the elastic-agent status indicates a failure. Any idea what is the meaning of the errors below ?

root@efire:~# /usr/bin/elastic-agent status
Status: FAILED
Message: (no message)
Applications:

  • metricbeat (HEALTHY)
    Running
  • fleet-server (CONFIGURING)
    Re-configuring
  • filebeat_monitoring (HEALTHY)
    Running
  • metricbeat_monitoring (HEALTHY)
    Running
  • endpoint-security (FAILED)
    Missed two check-ins
  • filebeat (HEALTHY)
    Running
    root@efire:~#
tail -f /opt/Elastic/Endpoint/state/log/endpoint-000000.log

{"@timestamp":"2022-02-17T02:41:31.408567293Z","agent":{"id":"00000000-0000-0000-0000-000000000000","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"notice","origin":{"file":{"line":93,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:93 *No valid comms client available*","process":{"pid":15158,"thread":{"id":15165}}}
sudo ./elastic-agent install --url=https://efire.consulting.com:8220   --fleet-server-es=https://fire.consulting.com:9200   --fleet-server-service-token=<removed>    --fleet-server-policy=2016d7cc-135e-5583-9758-3ba01f5a06e5   --certificate-authorities=/etc/elasticagent/ca.crt   --fleet-server-es-ca=/etc/elasticagent/efire.crt   --fleet-server-cert=/etc/elasticagent/fleet-server/fleet-server.crt   --fleet-server-cert-key=/etc/elasticagent/fleet-server/fleet-server.key
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
2022-02-16T18:36:06.025Z	INFO	cmd/enroll_cmd.go:743	Waiting for Elastic Agent to start Fleet Server
2022-02-16T18:36:12.038Z	INFO	cmd/enroll_cmd.go:757	Fleet Server - Running on policy with Fleet Server integration: 2016d7cc-135e-5583-9758-3ba01f5a06e5; missing config fleet.agent.id (expected during bootstrap process)
2022-02-16T18:36:12.788Z	INFO	cmd/enroll_cmd.go:454	Starting enrollment to URL: https://efire.consulting.com:8220/
2022-02-16T18:36:13.701Z	INFO	cmd/enroll_cmd.go:254	Successfully triggered restart on running Elastic Agent.
Successfully enrolled the Elastic Agent.
Elastic Agent has been successfully installed.

It's hard to say what's happening, need more information. If you are comfortable, please PM the entire log file:

/opt/Elastic/Endpoint/state/log/endpoint-000000.log

EDIT: I can provide an upload link

I see this interface isn't allowing me to upload *.log file or *.zip . Will you know the reason? can't even paste more than 35000 characters here apparently.


Ok, I will DM an upload link.

We looked through the Elastic Endpoint logs, and this appears to be the relevant bits:

"AgentConnectionInfo.cpp:128 Validated agent (5366) is root/admin"
"AgentConnectionInfo.cpp:136 Established stage 1 connection to agent"
"AgentComms.cpp:1001 Connecting to Agent."
... snip ...
"AgentComms.cpp:1025 Unable to make GRPC connection in deadline(60s). Fetching connection info again"

It seems Elastic Endpoint was able to make a bootstrap connection to Elastic Agent but was not able to make a grpc connection. The bootstrap connection uses the IP 127.0.0.1, but the grpc connection uses localhost. Please confirm whether or not localhost exists in /etc/hosts

Thanks a lot Nick , Adding an entry for localhost in /etc/hosts makes endpoint security work like a charm .

u@efire:~# /usr/bin/elastic-agent status
Status: HEALTHY
Message: (no message)
Applications:
  * endpoint-security      (HEALTHY)
                           Protecting with policy {xxxxxxxxxxxxxx}
  * filebeat               (HEALTHY)
                           Running
  * fleet-server           (CONFIGURING)
                           Re-configuring
  * filebeat_monitoring    (HEALTHY)
                           Running
  * metricbeat_monitoring  (HEALTHY)
                           Running
  * metricbeat             (HEALTHY)
                           Running
u@efire:~# 

PS : Will it help to add this fundamental but obvious configuration option in the documentation ? Will be happy to volunteer for documenting .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.