Fleet managed Elastic Agent - Wrong ES output configuration for Filebeat/Metricbeat

Hi!

I successfully set up a fleet server and 2 more elastic agents on different hosts.
They all show up as "healthy" and seem fine in Kibana.
I recognized after trying a few integrations, that only the Fleet server is able to send data into the data streams (ES is running on same host). After some investigation I found out, that Filebeat/Metricbeat on the other hosts always try to connect to http://localhost:9200, but there is no ES running.

/var/lib/elastic-agent/data/elastic-agent-3c518f/logs/default/filebeat-json.log:

{"log.level":"error","@timestamp":"2022-02-22T16:37:08.593+0100","log.logger":"esclientleg","log.origin":{"file.name":"transport/logging.go","file.line":37},"message":"Error dialing dial tcp 127.0.0.1:9200: connect: connection refused","service.name":"filebeat","network":"tcp","address":"localhost:9200","ecs.version":"1.6.0"}

In the Kibana Fleet Settings the Fleet hosts and Elasticsearch hosts are set properly and NOT localhost.
The "state.yml" directly on the host is the same like the Agent Policy.
Why does the Filebeat/Metricbeat not get the correct config??

Thanks in advance!

Edit: Environment is ES 7.16.2 on RedHat8

Found the problem!

The CA certificate defined in the Fleet Settings (ssl.certificate_authorities) was missing on the host where I tried to install the Elastic Agent.
I was not able to find it until now.
If anybody has similiar issues I recommend to check the following logfile carfully.

Logfile:

/var/lib/elastic-agent/data/elastic-agent-3c518f/install/filebeat-7.16.2-linux-x86_64/logs/filebeat

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.