Not able to start standalone Elastic Agent in my windows machine

Can you please help - I am trying to start standalone elastic agent in my windows machine and it keeps trying connecting to end point without any success.

Here are the logs please:

ERROR MESSAGE:

{"log.level":"info","@timestamp":"2024-03-14T15:09:10.295+0530","message":"Attempting to reconnect to backoff(elasticsearch()) with 41 reconnect attempt(s)","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"log.logger":"publisher_pipeline_output","log.origin":{"file.line":139,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-03-14T15:09:12.350+0530","message":"Error dialing dial tcp XXXXXX: connectex: No connection could be made because the target machine actively refused it.","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"{"source":"monitoring"},"log.logger":"esclientleg","service.name":"metricbeat","network":"tcp","address":"XXXXXXX","log.origin":{"file.line":38,"file.name":"transport/logging.go","function":"github.com/elastic/elastic-agent-libs/transport.LoggingDialer.func1"},"ecs.version":"1.6.0","ecs.version":"1.6.0"}

The log says:

No connection could be made because the target machine actively refused it.

So you need to check things like firewall, the elasticsearch / kibana setup.... If you don't find, then please share more details about what you did (ie what you modified, elasticsearch logs, kibana logs...)

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.

Thank you Dave for your reply and suggestion. Do I need to open 9200 port ?

I am trying to install standalone Elastic agent in my laptop and would feed the log files locally and then run indexing and search in Kibana to view the data there.

Here are the steps I tried:

  1. Installed Elastic agent in Standalone mode in my windows machine - followed the steps from Elastic
  2. Made changes to elastic-agent.yml file. I am not sure how to create api_key for windows, so kept as is, here are the entries from it:
outputs:
  default:
    type: elasticsearch
    hosts: [127.0.0.1:9200]
    api_key: "example-key"
    #username: "elastic"
    #password: "changeme"
    #preset: balanced



# Here you can configure your list of inputs. You can either configure all the inputs as a list of arrays
# or create an "inputs.d" directory containing your input configurations.
# See https://www.elastic.co/guide/en/fleet/current/elastic-agent-configuration.html for how to structure the "inputs.d" directory.
inputs:

  - id: test
    type: filestream
    streams:
      - id: teststream
        data_stream:
          dataset: commercedata
        paths:
          - /var/log/your-logs.log

Let me paste the logs here, this is post running the elastic-agent.exe as SU in power shell.

{"log.level":"error","@timestamp":"2024-03-14T17:47:12.691+0530","message":"Failed to connect to backoff(elasticsearch(http://127.0.0.1:9200)): Get \"http://127.0.0.1:9200\": dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"publisher_pipeline_output","log.origin":{"file.line":148,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-03-14T17:47:12.691+0530","message":"Attempting to reconnect to backoff(elasticsearch(http://127.0.0.1:9200)) with 5 reconnect attempt(s)","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"log.logger":"publisher_pipeline_output","log.origin":{"file.line":139,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"service.name":"metricbeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-03-14T17:47:14.731+0530","message":"Error dialing dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"service.name":"metricbeat","network":"tcp","address":"127.0.0.1:9200","ecs.version":"1.6.0","log.logger":"esclientleg","log.origin":{"file.line":38,"file.name":"transport/logging.go","function":"github.com/elastic/elastic-agent-libs/transport.LoggingDialer.func1"},"ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-03-14T17:47:15.302+0530","message":"Failed to connect to backoff(elasticsearch(http://127.0.0.1:9200)): Get \"http://127.0.0.1:9200\": dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"log.logger":"publisher_pipeline_output","log.origin":{"file.line":148,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"service.name":"filebeat","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-03-14T17:47:15.302+0530","message":"Attempting to reconnect to backoff(elasticsearch(http://127.0.0.1:9200)) with 6 reconnect attempt(s)","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"publisher_pipeline_output","log.origin":{"file.line":139,"file.name":"pipeline/client_worker.go","function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*netClientWorker).run"},"ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-03-14T17:47:17.355+0530","message":"Error dialing dial tcp 127.0.0.1:9200: connectex: No connection could be made because the target machine actively refused it.","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"filestream-monitoring","type":"filestream"},"log":{"source":"filestream-monitoring"},"service.name":"filebeat","address":"127.0.0.1:9200","ecs.version":"1.6.0","log.logger":"esclientleg","log.origin":{"file.line":38,"file.name":"transport/logging.go","function":"github.com/elastic/elastic-agent-libs/transport.LoggingDialer.func1"},"network":"tcp","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-03-14T17:47:33.795+0530","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"beat/metrics-monitoring","type":"beat/metrics"},"log":{"source":"beat/metrics-monitoring"},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cpu":{"system":{"ticks":1421,"time":{"ms":15}},"total":{"ticks":2186,"time":{"ms":15},"value":2186},"user":{"ticks":765}},"info":{"ephemeral_id":"c9723cfb-fb16-4ac0-8519-9915208496a7","uptime":{"ms":109710},"version":"8.12.2"},"memstats":{"gc_next":51510880,"memory_alloc":38719120,"memory_total":50365736,"rss":88666112},"runtime":{"goroutines":47}},"libbeat":{"config":{"module":{"running":1}},"output":{"events":{"active":0}},"pipeline":{"clients":2,"events":{"active":0}}}}},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-03-14T17:47:33.795+0530","message":"Non-zero metrics in the last 30s","component":{"binary":"metricbeat","dataset":"elastic_agent.metricbeat","id":"http/metrics-monitoring","type":"http/metrics"},"log":{"source":"http/metrics-monitoring"},"service.name":"metricbeat","monitoring":{"ecs.version":"1.6.0","metrics":{"beat":{"cpu":{"system":{"ticks":1187},"total":{"ticks":2108,"time":{"ms":15},"value":2108},"user":{"ticks":921,"time":{"ms":15}}},"info":{"ephemeral_id":"74d82424-619e-4099-9f05-f9b59793dcc5","uptime":{"ms":109725},"version":"8.12.2"},"memstats":{"gc_next":44969680,"memory_alloc":36668008,"memory_total":51597680,"rss":88752128},"runtime":{"goroutines":53}},"libbeat":{"config":{"module":{"running":3}},"output":{"events":{"active":0}},"pipeline":{"clients":3,"events":{"active":6,"published":3,"retry":3,"total":3}}},"metricbeat":{"http":{"json":{"events":3,"success":3}}},"system":{"handles":{"open":2}}}},"log.logger":"monitoring","log.origin":{"file.line":187,"file.name":"log/log.go","function":"github.com/elastic/beats/v7/libbeat/monitoring/report/log.(*reporter).logSnapshot"},"ecs.version":"1.6.0"}

Well... If you are using Elasticsearch 8.x, I guess it's secured by default so it should be in https and not http.
That'd be my first guess. And yeah 9200 port needs to be visible from the agent machine.
Best thing to do is to try to curl the url http://127.0.0.1:9200.

Here are the outcomes:

C:\Program Files\Elastic\Agent> curl 127.0.0.1:9200
curl : Unable to connect to the remote server
At line:1 char:1
+ curl 127.0.0.1:9200
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

PS C:\Program Files\Elastic\Agent> netstat -a

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.