Description
When installing and running the Elastic Agent on a Windows 10 or Windows Server 2019 machine, I encounter Service Control Manager errors.
The Elastic Agent seems to be functioning as expected on my Windows machine, I can see logs and metrics, and it's reported as healthy in the Fleet dashboard. However, I'm consistently seeing Service Control Manager errors with codes 7011 and 7046 on the Windows machine where the agent is installed.
Due to these Service Control Manager errors, and the fact that they occur with each restart or reboot, I am hesitant to deploy the Elastic Agent on additional machines in our environment.
According to github issue #20404, I also tried to increase the service timeout to around ten minutes but nothing worked, I kept getting errors.
I checked in elastic agent logs (Debug mode) but nothing special found, the agent policy seems right also.
Can you help me find where these errors might be coming from?
Thanks in advance.
Test Environment
- Elastic Agent version: 8.10.0 and 8.10.2 tested
- OS: Windows 10 Enterprise 22H2 19045.3570
- Fleet-managed in Air gapped environment
Reproduce errors
- Deploy Elastic stack with Fleet in 8.10.0 version
- Create a Windows Default agent policy with logs and metrics enabled
- Install Elastic agent in Windows 10 machine in 8.10.0 or 8.10.2 version
- Restart Windows 10 Machine
- Open Event Viewer and filter to Source Service Control Manager - Error (EventID 7011 and 7046)
Sample of Windows Event logs
EventID 7011
A timeout (180000 milliseconds) was reached while waiting for a transaction response from the Elastic Agent service.
- <System>
<Provider Name="Service Control Manager" Guid="{222608d1-b6e7-4695-8a1a-26941f5012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7011</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2023-10-30T12:17:26.9447928Z" />
<EventRecordID>33617</EventRecordID>
<Correlation />
<Execution ProcessID="620" ThreadID="9208" />
<Channel>System</Channel>
<Computer>windows.testlab.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">180000</Data>
<Data Name="param2">Elastic Agent</Data>
</EventData>
</Event>
EventID 7046
The following service has repeatedly stopped responding to service control requests: Elastic Agent
Contact the service vendor or the system administrator about whether to disable this service until the problem is identified.
You may have to restart the computer in safe mode before you can disable the service.
- <System>
<Provider Name="Service Control Manager" Guid="{222608d1-b6e7-4695-8a1a-26941f5012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="32768">7046</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2023-10-30T11:26:34.4984754Z" />
<EventRecordID>33460</EventRecordID>
<Correlation />
<Execution ProcessID="604" ThreadID="9004" />
<Channel>System</Channel>
<Computer>windows.testlab.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">Elastic Agent</Data>
</EventData>
</Event>
Agent policy settings
PUT kbn:/api/fleet/agent_policies/default_agent_policy
{
"name": "default_agent_policy",
"description": "Default Policy",
"namespace": "soc",
"monitoring_enabled": [
"logs",
"metrics"
],
"inactivity_timeout": 1209600,
"is_protected": false
}
PUT kbn:/api/fleet/package_policies/564f4caa-733d-4283-ba9f-19228e0fdfa7
{
"package": {
"name": "system",
"version": "1.38.2"
},
"name": "system-2",
"namespace": "soc",
"policy_id": "93cf7e30-771d-11ee-a542-63d49249c3e9",
"vars": {},
"inputs": {
"system-logfile": {
"enabled": false,
"streams": {
"system.auth": {
"enabled": false,
"vars": {
"ignore_older": "72h",
"paths": [
"/var/log/auth.log*",
"/var/log/secure*"
],
"preserve_original_event": false,
"tags": [
"system-auth"
]
}
},
"system.syslog": {
"enabled": false,
"vars": {
"paths": [
"/var/log/messages*",
"/var/log/syslog*",
"/var/log/system*"
],
"preserve_original_event": false,
"tags": [],
"ignore_older": "72h"
}
}
}
},
"system-winlog": {
"enabled": true,
"streams": {
"system.application": {
"enabled": false,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
},
"system.security": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
},
"system.system": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
}
}
},
"system-system/metrics": {
"enabled": true,
"vars": {},
"streams": {
"system.core": {
"enabled": false,
"vars": {
"period": "10s",
"core.metrics": [
"percentages"
],
"tags": []
}
},
"system.cpu": {
"enabled": true,
"vars": {
"period": "10s",
"cpu.metrics": [
"percentages",
"normalized_percentages"
],
"tags": []
}
},
"system.diskio": {
"enabled": true,
"vars": {
"period": "10s",
"diskio.include_devices": [],
"tags": []
}
},
"system.filesystem": {
"enabled": true,
"vars": {
"period": "1m",
"filesystem.ignore_types": [],
"tags": [],
"processors": "- drop_event.when.regexp:\n system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)\n"
}
},
"system.fsstat": {
"enabled": true,
"vars": {
"period": "1m",
"tags": [],
"processors": "- drop_event.when.regexp:\n system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)\n"
}
},
"system.load": {
"enabled": true,
"vars": {
"period": "10s",
"tags": []
}
},
"system.memory": {
"enabled": true,
"vars": {
"period": "10s",
"tags": []
}
},
"system.network": {
"enabled": true,
"vars": {
"period": "10s",
"network.interfaces": [],
"tags": []
}
},
"system.process": {
"enabled": true,
"vars": {
"period": "10s",
"process.include_top_n.by_cpu": 5,
"process.include_top_n.by_memory": 5,
"process.cmdline.cache.enabled": true,
"process.cgroups.enabled": false,
"process.env.whitelist": [],
"process.include_cpu_ticks": false,
"processes": [
".*"
],
"tags": []
}
},
"system.process.summary": {
"enabled": true,
"vars": {
"period": "10s",
"tags": []
}
},
"system.socket_summary": {
"enabled": true,
"vars": {
"period": "10s",
"tags": []
}
},
"system.uptime": {
"enabled": true,
"vars": {
"period": "10s",
"tags": []
}
}
}
},
"system-httpjson": {
"enabled": false,
"vars": {
"url": "https://server.example.com:8089",
"preserve_original_event": false,
"ssl": "#certificate_authorities"
},
"streams": {
"system.application": {
"enabled": false,
"vars": {
"interval": "10s",
"search": "search sourcetype=\"XmlWinEventLog:Application\"",
"tags": [
"forwarded"
]
}
},
"system.security": {
"enabled": false,
"vars": {
"interval": "10s",
"search": "search sourcetype=\"XmlWinEventLog:Security\"",
"tags": [
"forwarded"
]
}
},
"system.system": {
"enabled": false,
"vars": {
"interval": "10s",
"search": "search sourcetype=\"XmlWinEventLog:System\"",
"tags": [
"forwarded"
]
}
}
}
}
}
}