FleetServer Policy with Logstash type output failing

Elastic Stack Elastic Agent
1

I have the following scenario that works:
FleetServer policy -> output type Elasticsearch
AgentPolicy -> output type Logstash

However if I try to change the output type for the Fleet Server policy, to Logstash I get an error and everything breaks down:

"c:\Program Files\Elastic\Agent\elastic-agent.exe" status
State: HEALTHY
Message: Running
Fleet State: FAILED
Fleet Message: fail to checkin to fleet-server: all hosts failed: 1 error occurred:
        * requester 0/1 to host https://localhost:8221/ errored: Post "https://localhost:8221/api/fleet/agents/9bf8bc6c-4263-4c3a-af4c-24715c24ff72/checkin?": dial tcp [::1]:8221: connectex: No connection could be made because the target machine actively refused it.


Components:
  * log             (HEALTHY)
                    Healthy: communicating with pid '1296'
  * winlog          (HEALTHY)
                    Healthy: communicating with pid '6008'
  * filestream      (HEALTHY)
                    Healthy: communicating with pid '1372'
  * beat/metrics    (HEALTHY)
                    Healthy: communicating with pid '9028'
  * http/metrics    (HEALTHY)
                    Healthy: communicating with pid '10080'
  * system/metrics  (HEALTHY)
                    Healthy: communicating with pid '3076'
  *                 (FAILED)
                    output not supported

I don't understand why is the agent trying to contact the fleet server on port 8221 and why the new * component which is not there in the case of the elasticsearch output.

2

Hi @Bradut_B,

The Fleet Server policy supports only an ElasticSearch input by design.
What version of the stack are you running? From version 8.7.0 there are some internal limitations that prevent changing the default output to logstash for fleet server policies, but if you are running 8.6.x this can still happen and break the ingestion.

Thanks,
Cristina

1 Like
3

thank you for the clarification. I am using Elastic 8.6.2

4

You mean 8.6.2, right?

From the previous answer:

From version 8.7.0 there are some internal limitations that prevent changing the default output to logstash for fleet server policies, but if you are running 8.6.x this can still happen and break the ingestion.

Unfortunately if you need Logstash the best thing you can do is to avoid using the Elastic Agent and stick with the normal Beats.

5

indeed :slight_smile:

6

Under the licensed version I can have an agent policy that uses Logstash and a FleetServer policy that uses the default EalstiSearch.
From what I understood, Beats will eventually be deprecated in favour of the ElasticAgent?

7

Yeah, but it has some issues on version 8.6.X as mentioned in the previous answer and in this github issue

I still think that if you need Logstash it is better to keep using a normal beat, but this is based on my experience and issues I had while trying to migrate things to Elastic Agent.

I think that Elastic plans the deprecate the Beats on the future, but given all the limitations regarding Fleet and Elastic Agent, this seems to be a really distant future.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.