FleetServer Policy with Logstash type output failing

Bradut_B · April 12, 2023, 1:20pm

I have the following scenario that works:
FleetServer policy -> output type Elasticsearch
AgentPolicy -> output type Logstash

However if I try to change the output type for the Fleet Server policy, to Logstash I get an error and everything breaks down:

"c:\Program Files\Elastic\Agent\elastic-agent.exe" status
State: HEALTHY
Message: Running
Fleet State: FAILED
Fleet Message: fail to checkin to fleet-server: all hosts failed: 1 error occurred:
        * requester 0/1 to host https://localhost:8221/ errored: Post "https://localhost:8221/api/fleet/agents/9bf8bc6c-4263-4c3a-af4c-24715c24ff72/checkin?": dial tcp [::1]:8221: connectex: No connection could be made because the target machine actively refused it.


Components:
  * log             (HEALTHY)
                    Healthy: communicating with pid '1296'
  * winlog          (HEALTHY)
                    Healthy: communicating with pid '6008'
  * filestream      (HEALTHY)
                    Healthy: communicating with pid '1372'
  * beat/metrics    (HEALTHY)
                    Healthy: communicating with pid '9028'
  * http/metrics    (HEALTHY)
                    Healthy: communicating with pid '10080'
  * system/metrics  (HEALTHY)
                    Healthy: communicating with pid '3076'
  *                 (FAILED)
                    output not supported

I don't understand why is the agent trying to contact the fleet server on port 8221 and why the new * component which is not there in the case of the elasticsearch output.

Cristina_Amico · April 12, 2023, 3:44pm

Hi @Bradut_B,

The Fleet Server policy supports only an ElasticSearch input by design.
What version of the stack are you running? From version 8.7.0 there are some internal limitations that prevent changing the default output to logstash for fleet server policies, but if you are running 8.6.x this can still happen and break the ingestion.

Thanks,
Cristina

Bradut_B · April 13, 2023, 9:12am

thank you for the clarification. I am using Elastic 8.6.2

leandrojmp · April 13, 2023, 12:38pm

You mean 8.6.2, right?

From the previous answer:

From version 8.7.0 there are some internal limitations that prevent changing the default output to logstash for fleet server policies, but if you are running 8.6.x this can still happen and break the ingestion.

Unfortunately if you need Logstash the best thing you can do is to avoid using the Elastic Agent and stick with the normal Beats.

Bradut_B · April 13, 2023, 1:01pm

indeed

Bradut_B · April 13, 2023, 1:04pm

Under the licensed version I can have an agent policy that uses Logstash and a FleetServer policy that uses the default EalstiSearch.
From what I understood, Beats will eventually be deprecated in favour of the ElasticAgent?

leandrojmp · April 13, 2023, 3:02pm

Yeah, but it has some issues on version 8.6.X as mentioned in the previous answer and in this github issue

I still think that if you need Logstash it is better to keep using a normal beat, but this is based on my experience and issues I had while trying to migrate things to Elastic Agent.

I think that Elastic plans the deprecate the Beats on the future, but given all the limitations regarding Fleet and Elastic Agent, this seems to be a really distant future.

Topic		Replies	Views
Getting Logstash output cannot be used with Fleet Server integration in Fleet Server Policy. Please create a new ElasticSearch output Elasticsearch	6	1318	June 14, 2023
Fleet server agent output not supported Elastic Agent fleet	2	425	August 22, 2023
Not able to send add logstash output in Elastic Agent setup Elastic Agent fleet	8	848	April 6, 2023
Elastic Agent to Logstash Logstash fleet	3	40	March 3, 2026
No incoming data to Logstash Output from Elastic Agents - Only Elasticsearch ouptut works Elasticsearch fleet	6	782	May 28, 2023

FleetServer Policy with Logstash type output failing

Related topics