Troubleshooting
editTroubleshooting
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
This experimental release allows you to try out new capabilities. There is no migration path for future releases. You must test in a dedicated cluster. Delete the cluster when you are done. You will not be able to upgrade the cluster.
We have collected the most common known problems and frequently asked questions here. If your question isn’t answered here, please review open issues in the following GitHub repositories:
Contact us in the discuss forum. Your feedback is very valuable to us.
Common problems:
- The Ingest Manager app is not listed in the Kibana side navigation
-
The
/api/ingest_management/setup
endpoint returns an error because it can’t reach the package registry - The Ingest Manager app in Kibana crashes
-
Elastic Agent enrollment fails on the host with
Client.Timeout exceeded
message - Fleet fails with HTTP 500 error while trying to decrypt API keys
Frequently asked questions:
- Why doesn’t my enrolled Agent show up in the Ingest Manager app?
- Where does Elastic Agent store logs after startup?
- What configuration is the Elastic Agent running?
- Why can’t I see the data Elastic Agent is sending?
- How do I restore an Elastic Agent that I deleted from Fleet?
- How do I restart Elastic Agent after rebooting my host?
- What is the Endpoint integration shown in Ingest Manager?
The Ingest Manager app is not listed in the Kibana side navigation
editIn 7.8, the Ingest Manager app is experimental. You must enable the app to see it in Kibana.
To enable Ingest Manager on Elastic Cloud:
- Go to your deployment in the user console.
- Under the deployment name in the side navigation, click Edit.
-
In the Kibana section, expand User setting overrides and enter the following setting:
xpack.ingestManager.enabled: true
- Click Save.
Kibana will restart automatically. When Kibana is available, refresh the browser to see the Ingest Manager app in the navigation menu.
To enable Ingest Manager on a self-managed cluster:
-
In the Elasticsearch configuration file,
config/elasticsearch.yml
, set the following security settings to enable security and API keys:xpack.security.enabled: true xpack.security.authc.api_key.enabled: true
-
In the Kibana configuration file,
config/kibana.yml
, enable Ingest Manager and specify user credentials:
To set up passwords, you can use the documented Elasticsearch APIs or the
elasticsearch-setup-passwords
command. For example:
./bin/elasticsearch-setup-passwords auto
After running the command, copy the Elastic user name to the Kibana config file. Then restart Kibana.
The /api/ingest_management/setup
endpoint returns an error because it can’t reach the package registry
editIn order to install Integrations, the Ingest Manager app needs to connect to
an external service called the Elastic Package Registry. For this to work, the Kibana
server must be able to connect to https://epr-experimental.elastic.co
on port
443.
The Ingest Manager app in Kibana crashes
editTo find more about the error, open your browser’s development console, navigate to the Network tab, and refresh the page. One of the requests to the Ingest Manager API will most likely have returned an error. If the error message doesn’t give you enough information to fix the problem, please contact us in the discuss forum.
Elastic Agent enrollment fails on the host with Client.Timeout exceeded
message
editElastic Agent must be able to connect to the Kibana instance to enroll in Fleet. If the Agent is unable to connect, you will see the following failure:
fail to enroll: fail to execute request to {kib}:Post http://kibana:5601/api/ingest_manager/fleet/agents/enroll?: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
This may occur if the host is unable to connect to Kibana. To troubleshoot the problem:
-
Check for networking problems. Run the
ping
command from the host to confirm that it can reach the Kibana instance. - Verify that the URL and port you specified during enrollment are correct for your environment.
-
Check the enrollment key that you specified during enrollment to confirm that the key is valid. To do this:
- In Ingest Manager, go to the Fleet tab and click Enrollment Tokens.
- Click the eyeball icon to see the secret. The secret should match the string that you used to enroll Elastic Agent on your host.
-
If the secret doesn’t match, create a new enrollment token and use the new
token when you run the
elastic-agent enroll
command.
Fleet fails with HTTP 500 error while trying to decrypt API keys
editFleet requires an encryption key in order to save API keys and encrypt them in
Kibana. To provide an API key, set the xpack.encryptedSavedObjects.encryptionKey
property in the kibana.yml
configuration file. For example:
xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters"
Why doesn’t my enrolled Agent show up in the Ingest Manager app?
editIf Elastic Agent was successfully enrolled, but doesn’t show up in the Fleet list, it might not be started. You need to start the Agent.
On linux and macOS hosts, run:
./elastic-agent run
On Windows hosts, run:
elastic-agent.exe run
Where does Elastic Agent store logs after startup?
editWhen started successfully, Metricbeat logs are stored in
data/logs/metricbeat
under the folder where Elastic Agent was started. If that log
path does not exist, the Agent was unable to start Metricbeat, which is a
higher level problem to triage.
What configuration is the Elastic Agent running?
editTo find the configuration file, inspect the elastic-agent.yml
file in the
folder where you ran Elastic Agent. If you’re running the Agent in Fleet mode, this
file contains the following citation:
Management: mode: "fleet"
The action_store.yml
contains the entire, unencrypted configuration:
-
To see the Elasticsearch location, look at
outputs:hosts
. - To see the Elastic Agent version, look at the download folder and zip filenames.
This file also shows the version of all packages used by the current configuration.
Why can’t I see the data Elastic Agent is sending?
editIf Elastic Agent is set up and running, but you don’t see data in Kibana:
-
Go to Management > Dev Tools in Kibana, and in the Console, search your index for data. For example:
GET metrics-*/_search
Or if you prefer, go to the Discover app.
-
Look at the data that Elastic Agent has sent and see if the
name.host
field contains your host machine name.
If you don’t see data for your host, it’s possible that the data is blocked in the network, or that a firewall or security problem is preventing the Elastic Agent from sending the data.
Although it’s redundant to install stand-alone Metricbeat, you might want to try installing it to see if it’s able to send data successfully to Elasticsearch. For more information, see Get started with Metricbeat.
If Metricbeat is able to send data to Elasticsearch, there is possibly a bug or problem with Elastic Agent, and you should report it.
How do I restore an Elastic Agent that I deleted from Fleet?
editIt’s ok, we’ve got your back! The data is still in Elasticsearch. To add Elastic Agent to Fleet again, Stop Elastic Agent, re-enroll it on the host, then run Elastic Agent.
How do I restart Elastic Agent after rebooting my host?
editOn Windows, if you used Powershell to install Elastic Agent as a service, the Agent should still be running after rebooting the host.
On macOS and Linux, you need to restart Elastic Agent from the command line after rebooting the host.
Support for installing Elastic Agent as a service on all supported systems will be available in a future release. To achieve this in the meantime, you can add the start command to a user’s startup profile.
What is the Endpoint integration shown in Ingest Manager?
editIn 7.8, the Endpoint integration is non-functional. It cannot be used yet. It exists as an artifact of the current feature development. Please watch for announcements during upcoming release cycles. As a teaser, Endpoint is the integration that will allow the Elastic Security app to have a dedicated executable running like Beats to protect the host and respond to detected security concerns. Endpoint will be managed by Elastic Agent in the same way that Beats are managed.