Fleet agent

Hello,

I have a question about the fleet agent once it is deployed to a device.

I have a self signed cert so I use this command to enroll

.\elastic-agent.exe install --url=https://192.168.131.155:8220 --enrollment-token=sometoken --certificate-authorities=C:\Windows\B7\es1-cert.crt

The client shows in Kibana fleet section, I added two more modules other than the default System-
Endpoint Security and Windows

I keep getting logs from Endpoint Security but others are few and far in between or just stop working.

The install folder which on Windows is in this location for me still contains the old beats YML config files, I tried changing them because they only contain the defaults

C:\Program Files\Elastic\Agent\data\elastic-agent-93708b\install

Why doesn't the agent enrollment not configure these accordingly?

If I have to edit these manually I could might as well just use the individual beats and maintain the upgrades myself.

Hope I don't sound ungrateful, I'm just trying to understand the process

I'm happy to report that I was able to upgrade the 7.16.3 to 7.17.0 using fleet, that was quite nice but it also means that all of the YML changes for metricbeat and filebeat have been overwritten.

When I run these on the client device, the filebeat and metricbeat are always configuring

C:\Program Files\Elastic\Agent>elastic-agent.exe status
Status: HEALTHY
Message: (no message)
Applications:
  * endpoint-security      (HEALTHY)
                           Protecting with policy {0c6fda2b-2e06-4760-93d7-ab2073a7abec}
  * filebeat               (CONFIGURING)
                           Updating configuration
  * metricbeat             (CONFIGURING)
                           Updating configuration
  * filebeat_monitoring    (CONFIGURING)
                           Updating configuration
  * metricbeat_monitoring  (CONFIGURING)
                           Updating configuration

C:\Program Files\Elastic\Agent>elastic-agent.exe diagnostics
elastic-agent  version: 7.17.0
               build_commit: 93708bd74e909e57ed5d9bea3cf2065f4cc43af3  build_time: 2022-01-28 12:03:20 +0000 UTC  snapshot_build: false
Applications:
  *  name: filebeat_monitoring    route_key: default
     process: filebeat            id: f708bffd-01a3-48b0-a165-e707b33b540c          ephemeral_id: 60da11b6-fc2f-4249-88bc-ef31bf1d9419  elastic_license: true
     version: 7.17.0              commit: 93708bd74e909e57ed5d9bea3cf2065f4cc43af3  build_time: 2022-01-28 09:53:29 +0000 UTC           binary_arch: amd64
     hostname: TEST-DEVICE           username: NT AUTHORITY\SYSTEM                     user_id: S-1-5-18                                   user_gid: S-1-5-18
  *  name: metricbeat_monitoring  route_key: default
     process: metricbeat          id: ec96fe87-fa28-4381-80c8-6f6aa40cf270          ephemeral_id: af4924c1-fb02-430a-b8b0-51c35f3a76b1  elastic_license: true
     version: 7.17.0              commit: 93708bd74e909e57ed5d9bea3cf2065f4cc43af3  build_time: 2022-01-28 10:05:39 +0000 UTC           binary_arch: amd64
     hostname: TEST-DEVICE           username: NT AUTHORITY\SYSTEM                     user_id: S-1-5-18                                   user_gid: S-1-5-18
  *  name: endpoint-security      route_key: default
     error: Get "http://npipe/": open \\.\pipe\default-endpoint-security: The system cannot find the file specified.
  *  name: filebeat       route_key: default
     process: filebeat    id: f708bffd-01a3-48b0-a165-e707b33b540c          ephemeral_id: 60da11b6-fc2f-4249-88bc-ef31bf1d9419  elastic_license: true
     version: 7.17.0      commit: 93708bd74e909e57ed5d9bea3cf2065f4cc43af3  build_time: 2022-01-28 09:53:29 +0000 UTC           binary_arch: amd64
     hostname: TEST-DEVICE   username: NT AUTHORITY\SYSTEM                     user_id: S-1-5-18                                   user_gid: S-1-5-18
  *  name: metricbeat     route_key: default
     process: metricbeat  id: ec96fe87-fa28-4381-80c8-6f6aa40cf270          ephemeral_id: af4924c1-fb02-430a-b8b0-51c35f3a76b1  elastic_license: true
     version: 7.17.0      commit: 93708bd74e909e57ed5d9bea3cf2065f4cc43af3  build_time: 2022-01-28 10:05:39 +0000 UTC           binary_arch: amd64
     hostname: TEST-DEVICE   username: NT AUTHORITY\SYSTEM                     user_id: S-1-5-18                                   user_gid: S-1-5-18

Note: Keystore wasn't working in 7.16.3, I had to use plain password, maybe this will be supported in agent in future versions.

Thanks for all your wonderful work

Is it possible this agent is not successfully enrolled in Fleet? It should show as Healthy in the Fleet app in Kibana. You can also test that its getting the policy updates by running elastic-agent inspect. It should match what you see in the Fleet app in Kibana.

Elastic Agent doesnt support keystores yet but this is under consideration Beats and Elastic Agent capabilities | Fleet and Elastic Agent Guide [8.0] | Elastic

1 Like

Thanks for your reply!

It's showing healthy but only Endpoint Security is showing in kibana

So what I have to do is manually set the filebeat and metricbeat yml Elasticsearch outputs with correct username, password, ssl.certificate.authorities and https protocol

Is this the correct procedure?

Is there a way to set this in fleet settings somewhere?

elastic-agent inspect shows a fair bit of output,

outputs:
  default:
    api_key: HIDDEN
    hosts:
    - https://192.168.131.155:9200
    ssl:
      certificate_authorities:
      - '-----BEGIN CERTIFICATE----- HIDDEN -----END CERTIFICATE-----'
    type: elasticsearch
revision: 15

shameless bump in an effort to get some help :smiley:

Once again no data coming in with the install command in the first post.

No error in elastic-agent log

{"log.level":"info","@timestamp":"2022-02-21T10:31:35.602Z","log.origin":{"file.name":"application/application.go","file.line":67},"message":"Detecting execution mode","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:35.607Z","log.origin":{"file.name":"application/application.go","file.line":92},"message":"Agent is managed by Fleet","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:35.607Z","log.origin":{"file.name":"capabilities/capabilities.go","file.line":59},"message":"capabilities file not found in C:\\Program Files\\Elastic\\Agent\\capabilities.yml","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.127Z","log.logger":"composable.providers.docker","log.origin":{"file.name":"docker/docker.go","file.line":43},"message":"Docker provider skipped, unable to connect: protocol not available","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.128Z","log.origin":{"file.name":"store/state_store.go","file.line":327},"message":"restoring current policy from disk","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.146Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is POMOGgT4","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.146Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 3 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.240Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.434Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-02-21T21:31:36+11:00 - message: Application: filebeat--8.0.0[ef4b9b6e-338a-4b66-bc37-3e65de3f2e09]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.557Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.648Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-02-21T21:31:36+11:00 - message: Application: metricbeat--8.0.0[ef4b9b6e-338a-4b66-bc37-3e65de3f2e09]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.832Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:36.884Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-02-21T21:31:36+11:00 - message: Application: filebeat--8.0.0--36643631373035623733363936343635[ef4b9b6e-338a-4b66-bc37-3e65de3f2e09]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.030Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.091Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-02-21T21:31:37+11:00 - message: Application: metricbeat--8.0.0--36643631373035623733363936343635[ef4b9b6e-338a-4b66-bc37-3e65de3f2e09]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.161Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.170Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is v5d2i4_I","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.170Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 3 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.285Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.285Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.397Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.397Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.464Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":62},"message":"Starting stats endpoint","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.465Z","log.origin":{"file.name":"application/managed_mode.go","file.line":290},"message":"Agent is starting","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.465Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":64},"message":"Metrics endpoint listening on: \\\\.\\pipe\\elastic-agent (configured: npipe:///elastic-agent)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.504Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.504Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.614Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.614Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:37.615Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:40.694Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-02-21T21:31:40+11:00 - message: Application: filebeat--8.0.0[ef4b9b6e-338a-4b66-bc37-3e65de3f2e09]: State changed to CONFIG: Updating configuration - type: 'STATE' - sub_type: 'CONFIG'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:41.172Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-02-21T21:31:41+11:00 - message: Application: filebeat--8.0.0--36643631373035623733363936343635[ef4b9b6e-338a-4b66-bc37-3e65de3f2e09]: State changed to CONFIG: Updating configuration - type: 'STATE' - sub_type: 'CONFIG'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:49.757Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-02-21T21:31:49+11:00 - message: Application: metricbeat--8.0.0[ef4b9b6e-338a-4b66-bc37-3e65de3f2e09]: State changed to CONFIG: Updating configuration - type: 'STATE' - sub_type: 'CONFIG'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T10:31:50.492Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-02-21T21:31:50+11:00 - message: Application: metricbeat--8.0.0--36643631373035623733363936343635[ef4b9b6e-338a-4b66-bc37-3e65de3f2e09]: State changed to CONFIG: Updating configuration - type: 'STATE' - sub_type: 'CONFIG'","ecs.version":"1.6.0"}

Filebeat log is trying to connect to localhost for some reason, this is what doesn't make sense

{"log.level":"info","@timestamp":"2022-02-21T21:31:36.577+1100","log.origin":{"file.name":"instance/beat.go","file.line":687},"message":"Beat ID: ee66d72a-f97e-4d6d-a0ef-dca8eae6934d","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:36.578+1100","log.origin":{"file.name":"instance/beat.go","file.line":704},"message":"Set gc percentage to: 100","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-02-21T21:31:39.614+1100","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":80},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.624+1100","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":62},"message":"Starting stats endpoint","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.624+1100","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":64},"message":"Metrics endpoint listening on: \\\\.\\pipe\\default-filebeat (configured: npipe:///default-filebeat)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.624+1100","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1050},"message":"Beat info","service.name":"filebeat","system_info":{"beat":{"path":{"config":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-2ab3a7\\install\\filebeat-8.0.0-windows-x86_64","data":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-2ab3a7\\run\\default\\filebeat--8.0.0","home":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-2ab3a7\\install\\filebeat-8.0.0-windows-x86_64","logs":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-2ab3a7\\install\\filebeat-8.0.0-windows-x86_64\\logs"},"type":"filebeat","uuid":"ee66d72a-f97e-4d6d-a0ef-dca8eae6934d"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.624+1100","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1059},"message":"Build info","service.name":"filebeat","system_info":{"build":{"commit":"2ab3a7334016f570e0bfc7e9a577a35a22e02df5","libbeat":"8.0.0","time":"2022-02-03T18:02:06.000Z","version":"8.0.0"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.624+1100","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1062},"message":"Go runtime info","service.name":"filebeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":8,"version":"go1.17.6"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.637+1100","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1066},"message":"Host info","service.name":"filebeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-02-21T15:19:57.68+11:00","name":"WINDOWS-TEST","ip":["169.254.102.173/16","169.254.64.232/16","192.168.188.188/21","::1/128","127.0.0.1/8"],"kernel_version":"10.0.19041.1466 (WinBuild.160101.0800)","mac":["40:74:e0:bb:bb:5c","42:74:e0:bb:bb:5b","40:74:e0:bb:bb:5b"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows 10 Education","version":"10.0","major":10,"minor":0,"patch":0,"build":"19043.1466"},"timezone":"AEDT","timezone_offset_sec":39600,"id":"8db032de-20c7-4a67-9f10-1af72289d26c"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.637+1100","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1095},"message":"Process info","service.name":"filebeat","system_info":{"process":{"cwd":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-2ab3a7\\install\\filebeat-8.0.0-windows-x86_64","exe":"C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-2ab3a7\\install\\filebeat-8.0.0-windows-x86_64\\filebeat.exe","name":"filebeat.exe","pid":5652,"ppid":11868,"start_time":"2022-02-21T21:31:36.438+1100"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.637+1100","log.origin":{"file.name":"instance/beat.go","file.line":332},"message":"Setup Beat: filebeat; Version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.649+1100","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":105},"message":"elasticsearch url: http://localhost:9200","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.649+1100","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: WINDOWS-TEST","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.653+1100","log.origin":{"file.name":"fileset/modules.go","file.line":103},"message":"Enabled modules/filesets:  ()","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.653+1100","log.origin":{"file.name":"instance/beat.go","file.line":498},"message":"filebeat start running.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.653+1100","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":142},"message":"Starting metrics logging every 30s","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-02-21T21:31:39.653+1100","log.logger":"cfgwarn","log.origin":{"file.name":"management/manager.go","file.line":108},"message":"BETA: Fleet management is enabled","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.653+1100","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":109},"message":"Starting fleet management service","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.654+1100","log.origin":{"file.name":"service/service_windows.go","file.line":126},"message":"Attempted to register Windows service handlers, but this is not a service. No action necessary","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.657+1100","log.origin":{"file.name":"memlog/store.go","file.line":119},"message":"Loading data file of 'C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-2ab3a7\\run\\default\\filebeat--8.0.0\\registry\\filebeat' succeeded. Active transaction id=0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.657+1100","log.origin":{"file.name":"memlog/store.go","file.line":124},"message":"Finished loading transaction log file for 'C:\\Program Files\\Elastic\\Agent\\data\\elastic-agent-2ab3a7\\run\\default\\filebeat--8.0.0\\registry\\filebeat'. Active transaction id=3","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.660+1100","log.logger":"registrar","log.origin":{"file.name":"registrar/registrar.go","file.line":109},"message":"States Loaded from registrar: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.660+1100","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":71},"message":"Loading Inputs: 1","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.661+1100","log.logger":"crawler","log.origin":{"file.name":"beater/crawler.go","file.line":108},"message":"Loading and starting Inputs completed. Enabled inputs: 0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.661+1100","log.origin":{"file.name":"cfgfile/reload.go","file.line":164},"message":"Config reloader started","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:39.661+1100","log.origin":{"file.name":"cfgfile/reload.go","file.line":224},"message":"Loading of config files completed.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.185+1100","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":150},"message":"Status change to Configuring: Updating configuration","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.187+1100","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for filebeat.inputs","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-02-21T21:31:40.187+1100","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.187+1100","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.system-df18ebb1-bac0-4222-b74d-df5f11d5300c","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-02-21T21:31:40.187+1100","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.193+1100","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.application-df18ebb1-bac0-4222-b74d-df5f11d5300c","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-02-21T21:31:40.193+1100","log.logger":"cfgwarn","log.origin":{"file.name":"log/input.go","file.line":89},"message":"DEPRECATED: Log input. Use Filestream input instead.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.193+1100","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":171},"message":"Configured paths: [C:\\var\\log\\auth.log* C:\\var\\log\\secure*]","service.name":"filebeat","input_id":"80c35de0-d4d5-44a9-a47e-79467d719806","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.195+1100","log.logger":"input","log.origin":{"file.name":"log/input.go","file.line":171},"message":"Configured paths: [C:\\var\\log\\messages* C:\\var\\log\\syslog*]","service.name":"filebeat","input_id":"2e5c94e8-bfbe-4846-af73-8b31eca71645","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-02-21T21:31:40.195+1100","log.logger":"input","log.origin":{"file.name":"v2/loader.go","file.line":104},"message":"BETA: The winlog input is beta","service.name":"filebeat","input":"winlog","stability":"Beta","deprecated":false,"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.195+1100","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for output","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.195+1100","log.logger":"input.winlog","log.origin":{"file.name":"compat/compat.go","file.line":111},"message":"Input winlog starting","service.name":"filebeat","id":"winlog-system.security-df18ebb1-bac0-4222-b74d-df5f11d5300c","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-02-21T21:31:40.195+1100","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-02-21T21:31:40.195+1100","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls.go","file.line":168},"message":"Failed to add CA to the cert pool, CA is not a valid PEM document","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-02-21T21:31:40.195+1100","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":291},"message":"1 error: file is not a certificate adding inline to the list of known CAs accessing 'elasticsearch'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:40.195+1100","log.logger":"centralmgmt.fleet","log.origin":{"file.name":"management/manager.go","file.line":271},"message":"Applying settings for filebeat.modules","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:42.628+1100","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":101},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:43.128+1100","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":139},"message":"Connecting to backoff(elasticsearch(http://localhost:9200))","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-02-21T21:31:47.183+1100","log.logger":"esclientleg","log.origin":{"file.name":"transport/logging.go","file.line":37},"message":"Error dialing dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.","service.name":"filebeat","network":"tcp","address":"localhost:9200","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-02-21T21:31:48.614+1100","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(http://localhost:9200)): Get \"http://localhost:9200\": dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:48.614+1100","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":141},"message":"Attempting to reconnect to backoff(elasticsearch(http://localhost:9200)) with 1 reconnect attempt(s)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-02-21T21:31:52.726+1100","log.logger":"esclientleg","log.origin":{"file.name":"transport/logging.go","file.line":37},"message":"Error dialing dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.","service.name":"filebeat","network":"tcp","address":"localhost:9200","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-02-21T21:31:55.550+1100","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(http://localhost:9200)): Get \"http://localhost:9200\": dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-02-21T21:31:55.550+1100","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":141},"message":"Attempting to reconnect to backoff(elasticsearch(http://localhost:9200)) with 2 reconnect attempt(s)","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2022-02-21T21:31:59.663+1100","log.logger":"esclientleg","log.origin":{"file.name":"transport/logging.go","file.line":37},"message":"Error dialing dial tcp [::1]:9200: connectex: No connection could be made because 

One more bump

This is what the fleet.yml looks like

agent:
  id: 20966bc4-cd82-43b0-babc-317b853d7d4d
  logging.level: info
  monitoring.http:
    enabled: false
    host: ""
    port: 6791
  monitoring.pprof: null
fleet:
  enabled: true
  access_api_key: SOME_KEY
  protocol: http
  host: 192.168.131.155:8220
  hosts:
  - https://192.168.131.155:8220
  ssl:
    verification_mode: full
    certificate_authorities:
    - C:\Windows\B7\es1-cert.crt
    renegotiation: never
  timeout: 10m0s
  reporting:
    threshold: 10000
    check_frequency_sec: 30
  agent:
    id: ""

I'm having similar problems with RHEL 8 hosts. Posted here:

@mostlyjason
I was encountering similar problems on my RHEL8 hosts. I found a way to get the filebeat and metricbeat data to come through, and documented that in my post here:

I plan to open a support ticket with Elastic to try to get an explanation for why this would be necessary.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.