Troubleshooting

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

This experimental release allows you to try out new capabilities. There is no migration path for future releases. You must test in a dedicated cluster. Delete the cluster when you are done. You will not be able to upgrade the cluster.

We have collected the most common known problems and frequently asked questions here. If your question isn’t answered here, please review open issues in the following GitHub repositories:

Contact us in the discuss forum. Your feedback is very valuable to us.

Common problems:

Frequently asked questions:

The Ingest Manager app is not listed in the Kibana side navigation

edit

In 7.8, the Ingest Manager app is experimental. You must enable the app to see it in Kibana.

To enable Ingest Manager on Elastic Cloud:

  1. Go to your deployment in the user console.
  2. Under the deployment name in the side navigation, click Edit.
  3. In the Kibana section, expand User setting overrides and enter the following setting:

    xpack.ingestManager.enabled: true
  4. Click Save.

Kibana will restart automatically. When Kibana is available, refresh the browser to see the Ingest Manager app in the navigation menu.

To enable Ingest Manager on a self-managed cluster:

  1. In the Elasticsearch configuration file, config/elasticsearch.yml, set the following security settings to enable security and API keys:

    xpack.security.enabled: true
    xpack.security.authc.api_key.enabled: true
  2. In the Kibana configuration file, config/kibana.yml, enable Ingest Manager and specify user credentials:

    xpack.ingestManager.enabled: true
    xpack.ingestManager.fleet.tlsCheckDisabled: true 
    xpack.security.enabled: true
    elasticsearch.username: "elastic" 
    elasticsearch.password: "abc123iUnbRftkABC123"

    This setting is not required if you configure TLS checking.

    Specify a user who is authorized to use Ingest Manager.

To set up passwords, you can use the documented Elasticsearch APIs or the elasticsearch-setup-passwords command. For example:

./bin/elasticsearch-setup-passwords auto

After running the command, copy the Elastic user name to the Kibana config file. Then restart Kibana.

The /api/ingest_management/setup endpoint returns an error because it can’t reach the package registry

edit

In order to install Integrations, the Ingest Manager app needs to connect to an external service called the Elastic Package Registry. For this to work, the Kibana server must be able to connect to https://epr-experimental.elastic.co on port 443.

The Ingest Manager app in Kibana crashes

edit

To find more about the error, open your browser’s development console, navigate to the Network tab, and refresh the page. One of the requests to the Ingest Manager API will most likely have returned an error. If the error message doesn’t give you enough information to fix the problem, please contact us in the discuss forum.

Elastic Agent enrollment fails on the host with Client.Timeout exceeded message

edit

Elastic Agent must be able to connect to the Kibana instance to enroll in Fleet. If the Agent is unable to connect, you will see the following failure:

fail to enroll: fail to execute request to {kib}:Post http://kibana:5601/api/ingest_manager/fleet/agents/enroll?: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

This may occur if the host is unable to connect to Kibana. To troubleshoot the problem:

  1. Check for networking problems. Run the ping command from the host to confirm that it can reach the Kibana instance.
  2. Verify that the URL and port you specified during enrollment are correct for your environment.
  3. Check the enrollment key that you specified during enrollment to confirm that the key is valid. To do this:

    1. In Ingest Manager, go to the Fleet tab and click Enrollment Tokens.
    2. Click the eyeball icon to see the secret. The secret should match the string that you used to enroll Elastic Agent on your host.
    3. If the secret doesn’t match, create a new enrollment token and use the new token when you run the elastic-agent enroll command.

Fleet fails with HTTP 500 error while trying to decrypt API keys

edit

Fleet requires an encryption key in order to save API keys and encrypt them in Kibana. To provide an API key, set the xpack.encryptedSavedObjects.encryptionKey property in the kibana.yml configuration file. For example:

xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters"

Why doesn’t my enrolled Agent show up in the Ingest Manager app?

edit

If Elastic Agent was successfully enrolled, but doesn’t show up in the Fleet list, it might not be started. You need to start the Agent.

On linux and macOS hosts, run:

./elastic-agent run

On Windows hosts, run:

elastic-agent.exe run

Where does Elastic Agent store logs after startup?

edit

When started successfully, Metricbeat logs are stored in data/logs/metricbeat under the folder where Elastic Agent was started. If that log path does not exist, the Agent was unable to start Metricbeat, which is a higher level problem to triage.

What configuration is the Elastic Agent running?

edit

To find the configuration file, inspect the elastic-agent.yml file in the folder where you ran Elastic Agent. If you’re running the Agent in Fleet mode, this file contains the following citation:

Management: mode: "fleet"

The action_store.yml contains the entire, unencrypted configuration:

  • To see the Elasticsearch location, look at outputs:hosts.
  • To see the Elastic Agent version, look at the download folder and zip filenames.

This file also shows the version of all packages used by the current configuration.

Why can’t I see the data Elastic Agent is sending?

edit

If Elastic Agent is set up and running, but you don’t see data in Kibana:

  1. Go to Management > Dev Tools in Kibana, and in the Console, search your index for data. For example:

    GET metrics-*/_search

    Or if you prefer, go to the Discover app.

  2. Look at the data that Elastic Agent has sent and see if the name.host field contains your host machine name.

If you don’t see data for your host, it’s possible that the data is blocked in the network, or that a firewall or security problem is preventing the Elastic Agent from sending the data.

Although it’s redundant to install stand-alone Metricbeat, you might want to try installing it to see if it’s able to send data successfully to Elasticsearch. For more information, see Get started with Metricbeat.

If Metricbeat is able to send data to Elasticsearch, there is possibly a bug or problem with Elastic Agent, and you should report it.

How do I restore an Elastic Agent that I deleted from Fleet?

edit

It’s ok, we’ve got your back! The data is still in Elasticsearch. To add Elastic Agent to Fleet again, Stop Elastic Agent, re-enroll it on the host, then run Elastic Agent.

How do I restart Elastic Agent after rebooting my host?

edit

On Windows, if you used Powershell to install Elastic Agent as a service, the Agent should still be running after rebooting the host.

On macOS and Linux, you need to restart Elastic Agent from the command line after rebooting the host.

Support for installing Elastic Agent as a service on all supported systems will be available in a future release. To achieve this in the meantime, you can add the start command to a user’s startup profile.

What is the Endpoint integration shown in Ingest Manager?

edit

In 7.8, the Endpoint integration is non-functional. It cannot be used yet. It exists as an artifact of the current feature development. Please watch for announcements during upcoming release cycles. As a teaser, Endpoint is the integration that will allow the Elastic Security app to have a dedicated executable running like Beats to protect the host and respond to detected security concerns. Endpoint will be managed by Elastic Agent in the same way that Beats are managed.