Fleet Logstash resets back to default setting

Elastic Stack Logstash
1

Hello everyone,

When I either try to add a row to logstash hosts in the grid-logstash or create my own object with it being the default for agent integrations and agent monitoring. After about 5 minutes it resets to the default setting of the grid-logstash.

For perspective, I am deploying my elastic agent on the outside of my firewall and the only problem coming up is that grid-logstash doesn’t have my external firewall IP. When i do make either one of those change highlighted above it works till it resets back to default.

How can I get the fleet setting to not reset back to the defaults for grid-logstash?

I am using security onion 2.4.9 and elastic agent version 8.10.4

2

Hello and welcome,

It is not clear what is your issue, can you provide more context on what you are changing and it is reverting back? What is grid-logstash that you are referencing?

Is this in Fleet UI? Please share some screenshots.

3

Outputs
Outputs1860×560 43.2 KB

Here is a screenshot of where I am trying to change the outputs setting.
Yes it is in the Fleet UI, I am trying to add my firewalls external IP to the grid-logstash or use the ext_int I created. When I do add my external IP or make the ext_int default then the elastic agent will work but after about 5 minutes the outputs will default to the settings you see in the screenshot and the elastic agent no longer connects back for logstash.

4

Do you have a paid license?

What is the output configured in your Fleet Policy? Is it already configured for an Elasticsearch output?

Can you get logs from the agent showing that the output was reverted? Never saw anything like this.

5

No I am not using a paid license.
The output configured in the Fleet Policy for endpoints_inital is set to grid-logstash.
The logs show a connection being made to my external firewall IP (which is what I want) but when it reverts it is trying to connect to my internal security onion IP which fails to connect.

6

This may be the issue, the Fleet Server can only output to Elasticsearch, it is not possible for it to communicate with Logstash or Kafka.

Also, with the basic license you cannot have different outputs per policy, the exception is the fleet policy.

You need to configure your fleet policy to output to elasticsearch, and then you can set the default output to be logstash, but all your other policies will use this output.