Hello everyone,
I'm in the process of setting up an ELK stack for my home lab, and I've hit a brick wall regarding Elastic Agent's ability to send logs. Despite following the setup carefully and ensuring everything connects, I can't seem to get logs from the Fleet Server or Elastic Agents into Elasticsearch/Kibana. Here’s a rundown of my setup and the issues I'm facing:
System Overview
General Setup:
- ELK stack running in Docker containers on the same host.
- Certificates generated via OpenSSL for secure communication.
Fleet Server
andElastic Agents
installed on the same network.
Network Configuration:
- All servers (Elasticsearch, Kibana, Fleet Server) run on the same host IP.
- All containers (Elasticsearch, Kibana) are also in a docker network.
My Installation Process
- Certificates Setup: I generated certificates using OpenSSL as follows:openssl genrsa -out ca.key 2048 openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt # Repeat (+sign) for Elasticsearch and Fleet Server
- Docker-Compose Setup: I used the a Docker Compose file for Elasticsearch and Kibana, you can find the full file on my blog at (pindjouf dot xyz slash posts slash troubleshooting) (don't want to spam links).
- Fleet Server and Agent Installation:
- I installed Fleet Server and Elastic Agents using commands similar to:sudo ./elastic-agent install --url=hxxps[://]x.x.x.x:8220 --fleet-server-es=hxxps[://]x.x.x.x:9200 again the full details are on my website, otherwise this posts would be way too long.
What Works
- Fleet Server shows as Healthy in Kibana.
- Elastic Agents connect to the Fleet Server.
- Kibana is accessible via its web portal.
What Doesn’t Work
- Fleet Server isn’t sending any logs.
- Elastic Agents appear Degraded with multiple components failing.
Example Logs from the Agent:
{"log.level":"error","@timestamp":"2025-01-09T15:42:13.895Z","log.origin":{"function":"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator.(*Coordinator).watchRuntimeComponents","file.name":"coordinator/coordinator.go","file.line":663},"message":"Unit state changed log-default (STARTING->FAILED): Failed: pid '69668' exited with code '-1'"}
Status Output ( sudo elastic-agent status
):
┌─ fleet
│ └─ status: (HEALTHY) Connected
└─ elastic-agent
├─ status: (DEGRADED) 1 or more components/units in a failed state
├─ log-default
│ ├─ status: (FAILED) Failed: pid '68906' exited with code '-1'
What I've Tried
- Verified certificates are valid using OpenSSL.
- Restarted all services and reinstalled agents multiple times.
Request for Help
I suspect there might be an issue with:
- The communication between the Elastic Agent and Fleet Server.
- A missing configuration in Docker/Elasticsearch that affects log forwarding.
- Something subtle I’ve overlooked in the Fleet Server/Elastic Agent configuration.
- Local issue for the agents' processes.
I’ve documented the full process of my setup on my blog at (pindjouf dot xyz slash posts slash troubleshooting) in case further details are needed.
Additional Questions
- Is there a better way to debug Elastic Agent logs?
- Should I try removing components like Docker for a simpler setup, or is this a known issue?
Any help or pointers would be greatly appreciated. Thanks in advance!