Troubleshoot common problems
editTroubleshoot common problems
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
We have collected the most common known problems here. If your problem isn’t described here, please review open issues in the following GitHub repositories:
Have a question? Read our FAQ, or contact us in the discuss forum. Your feedback is very valuable to us.
Fleet is not listed in the Kibana side navigation
editThe Fleet app is enabled by default. If you are unable to see the app in Kibana, make sure it’s enabled.
To enable Fleet on Elastic Cloud:
- Go to your deployment in the user console.
- Under the deployment name in the side navigation, click Edit.
-
In the Kibana section, expand User setting overrides and enter the following setting:
xpack.fleet.enabled: true
- Click Save.
Kibana will restart automatically. When Kibana is available, refresh the browser to see the Fleet app in the navigation menu.
To enable Fleet on a self-managed cluster:
-
In the Elasticsearch configuration file,
config/elasticsearch.yml
, set the following security settings to enable security and API keys:xpack.security.enabled: true xpack.security.authc.api_key.enabled: true
-
In the Kibana configuration file,
config/kibana.yml
, enable Fleet and specify user credentials:
To set up passwords, you can use the documented Elasticsearch APIs or the
elasticsearch-setup-passwords
command. For example:
./bin/elasticsearch-setup-passwords auto
After running the command, copy the Elastic user name to the Kibana config file. Then restart Kibana.
The /api/ingest_management/setup
endpoint can’t reach the package registry
editIn order to install Integrations, the Fleet app needs to connect to
an external service called the Elastic Package Registry. For this to work, the Kibana
server must be able to connect to https://epr.elastic.co
on port 443.
Fleet in Kibana crashes
editTo find more about the error, open your browser’s development console, navigate to the Network tab, and refresh the page. One of the requests to the Fleet API will most likely have returned an error. If the error message doesn’t give you enough information to fix the problem, please contact us in the discuss forum.
Elastic Agent enrollment fails on the host with Client.Timeout exceeded
message
editElastic Agent must be able to connect to the Kibana instance to enroll in Fleet. If the agent is unable to connect, you will see the following failure:
fail to enroll: fail to execute request to {kib}:Post http://kibana:5601/api/fleet/agents/enroll?: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
This may occur if the host is unable to connect to Kibana. To troubleshoot the problem:
-
Check for networking problems. Run the
ping
command from the host to confirm that it can reach the Kibana instance. - Verify that the URL and port you specified during enrollment are correct for your environment.
-
Check the enrollment key that you specified during enrollment to confirm that the key is valid. To do this:
- In Fleet, go to the Agents tab and click Enrollment Tokens.
- Click the eyeball icon to see the secret. The secret should match the string that you used to enroll Elastic Agent on your host.
-
If the secret doesn’t match, create a new enrollment token and use the new
token when you run the
elastic-agent enroll
command.
Elasticsearch authentication service fails with Authentication using apikey failed
message
editFleet requires an encryption key in order to save API keys and encrypt them in
Kibana. To provide an API key, set the xpack.encryptedSavedObjects.encryptionKey
property in the kibana.yml
configuration file. For example:
xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters"
Elastic Agent fails with Agent process is not root/admin or validation failed
message
editMake sure the user running Elastic Agent has root privileges. If you’re running
Elastic Agent in the foreground (and not as a service) on Linux or macOS, run the
agent under the root user, for example, sudo
or su
. Some integrations
require root privileges to collect sensitive data.
If you’re using the Endpoint Security integration, also make sure you’re running Elastic Agent under the SYSTEM account.
If you install Elastic Agent as a service as described in Install Elastic Agent, Elastic Agent runs under the SYSTEM account by default.
To run Elastic Agent under the SYSTEM account, you can:
-
Download PsExec
and extract the contents to a folder, for example,
d:\tools
. - Open a command prompt as an Administrator (right-click the Command Prompt icon and select Run As Administrator).
-
From the command prompt, run Elastic Agent under the SYSTEM account:
d:\tools\psexec.exe -sid "C:\Program Files\Elastic-Agent\elastic-agent.exe" run
Elastic Agent hangs while unenrolling
editWhen you unenroll an agent, Fleet waits for acknowledgement from the agent
before it completes the unenrollment process. If Fleet doesn’t receive
acknowledgement, the status hangs at unenrolling.
If this happens, select Force unenroll from the Actions menu in the Agents list.
This will invalidate all API keys related to the agent and change the status to
inactive
so that the agent no longer appears in Fleet.
API key is unauthorized to send telemetry to .logs-endpoint.diagnostic.collection-*
indices
editTelemetry is turned on by default in the Elastic Stack. This helps us learn about the features that our users are most interested in, so we can focus our efforts on making them even better.
If you’ve recently upgraded from version 7.10 to 7.11, you might see the following message when you view Endpoint Security logs:
action [indices:admin/auto_create] is unauthorized for API key id [KbvCi3YB96EBa6C9k2Cm] of user [fleet_enroll] on indices [.logs-endpoint.diagnostic.collection-default]
This message indicates that Elastic Endpoint does not have the correct permissions to send telemetry. This is a known problem in 7.11 that will be fixed in an upcoming patch release. To remove this message from your logs, you can turn off telemetry for the Endpoint Security integration until the next patch release is available.
- In Kibana, go to Fleet > Integrations and click the Installed integrations tab.
- Click Endpoint Security, and then click the Policies tab to see all the installed integrations.
- Click the integration to edit it.
-
Under advanced settings, set
windows.advanced.diagnostic.enabled
tofalse
, then save the integration.