Enroll elastic agent on machine that doesn't directly reach the Elastic Cloud instance

Hi. I have an Elastic Cloud 8.4 instance and I have to install an elastic-agent on a protected machine A that doesn't directly reach the internet but reaches another machine B that does.
So I have something like: A -> B -> Elastic Cloud 8.4

What I have done:

  • Installed and configured logstash on machine B to forward data from port 5044 to Elastic Cloud.
  • Configured that logstash instance as possible output in Elastic Cloud.
  • Installed an elastic-agent with "Fleet Server" integration on machine B, added its url to the "Fleet server hosts" in Elastic Cloud.
  • Created a fleet policy for machine A and selected logstash as default output.

The problem is that when I try to enroll the agent on machine A, even if I specify machine B url as fleet-server in the command, the agent tries to enroll directly to Elastic Cloud and fails.

Am I missing something? Is there a way to force machine A to pass throgh machine B for: enrollment, fleet management and data? Perhaps the only way is using a standalone agent.

Hi gab,

I don't think a Logstash output works to forward Agent data through another machine.
You should look at using a proxy server through machine B: Use a proxy server with Elastic Agent and Fleet | Fleet and Elastic Agent Guide [8.6] | Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.