Fleet server Elasticsearch output settings connection errors

Elastic Stack Elastic Agent
1

Hello, this is the issue i’m currently pondering over:

Situation

  • an agent with fleet server integration, running in a VM, together with other elements of the stack (ES, KIB)
  • agents running on Windows hosts
  • ES is published on 0.0.0.0
  • Basic subscription (free tier)

Fleet settings:

output to ES has 2 URLs:

  • one for agent running the fleet server integration, using the local ip & default port (9200)
  • another using the ip/port of the host which is running the VM. this is port forwarded to the vm_local_ip:9200

the issue:

  • it works but the logs are FLOODED with errors complaining that it cannot connect to the first ES output
{"log.level":"error","@timestamp":"2025-08-13T14:29:27.475+0200","message":"Error dialing dial tcp 10.0.2.15:9200: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"windows/metrics-default","type":"windows/metrics"},"log":{"source":"windows/metrics-default"},"log.logger":"elasticsearch.esclientleg","log.origin":{"file.line":39,"file.name":"transport/logging.go","function":"github.com/elastic/elastic-agent-libs/transport/httpcommon.(*HTTPTransportSettings).RoundTripper.LoggingDialer.func2"},"service.name":"metricbeat","network.transport":"tcp","ecs.version":"1.6.0","server.address":"10.0.2.15:9200","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-08-13T14:29:27.662+0200","message":"Failed to connect to backoff(elasticsearch(https://10.0.2.15:9200)): Get \"https://10.0.2.15:9200\": dial tcp 10.0.2.15:9200: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"system/metrics-monitoring","type":"system/metrics"},"log":{"source":"system/metrics-monitoring"},"log.logger":"publisher_pipeline_output","log.origin":{"file.line":149,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-08-13T14:29:32.324+0200","message":"Failed to connect to backoff(elasticsearch(https://10.0.2.15:9200)): Get \"https://10.0.2.15:9200\": dial tcp 10.0.2.15:9200: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.logger":"publisher_pipeline_output","log.origin":{"file.line":149,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-08-13T14:33:16.214+0200","message":"Failed to connect to backoff(elasticsearch(https://10.0.2.15:9200)): Get \"https://10.0.2.15:9200\": dial tcp 10.0.2.15:9200: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"winlog-default","type":"winlog"},"log":{"source":"winlog-default"},"log.logger":"publisher_pipeline_output","log.origin":{"file.line":149,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-08-13T14:33:18.195+0200","message":"Failed to connect to backoff(elasticsearch(https://10.0.2.15:9200)): Get \"https://10.0.2.15:9200\": dial tcp 10.0.2.15:9200: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"publisher_pipeline_output","log.origin":{"file.line":149,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2025-08-13T14:33:19.157+0200","message":"Failed to connect to backoff(elasticsearch(https://10.0.2.15:9200)): Get \"https://10.0.2.15:9200\": dial tcp 10.0.2.15:9200: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.logger":"publisher_pipeline_output","log.origin":{"file.line":149,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}

etc!

am i missing a setting where i can tell my agent/fleet to only consider one of the outputs?

Kind regards

2

This is not possible, if your output has 2 URLs, the Agent will load balance between them.

One alternative would be to use one URL pointing to a custom hostname and in each host configure this custom hostname to point to the specific IP.

Keep in mind that you may need to provide a certificate that is valid in both cases.

3

thanks @leandrojmp
given the scope (homelab) i’m currently bypassing the need for certificates, you can add ssl.verification_mode:none in the yml options for this fleet ES output