Troubleshoot common problemsedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

We have collected the most common known problems here. If your problem isn’t described here, please review open issues in the following GitHub repositories:

Have a question? Read our FAQ, or contact us in the discuss forum. Your feedback is very valuable to us.

Fleet is not listed in the Kibana side navigationedit

The Fleet app is enabled by default. If you are unable to see the app in Kibana, make sure it’s enabled.

To enable Fleet on Elastic Cloud:

  1. Go to your deployment in the user console.
  2. Under the deployment name in the side navigation, click Edit.
  3. In the Kibana section, expand User setting overrides and enter the following setting:

    xpack.fleet.enabled: true
  4. Click Save.

Kibana will restart automatically. When Kibana is available, refresh the browser to see the Fleet app in the navigation menu.

To enable Fleet on a self-managed cluster:

  1. In the Elasticsearch configuration file, config/elasticsearch.yml, set the following security settings to enable security and API keys:

    xpack.security.enabled: true
    xpack.security.authc.api_key.enabled: true
  2. In the Kibana configuration file, config/kibana.yml, enable Fleet and specify user credentials:

    xpack.fleet.enabled: true
    xpack.fleet.agents.tlsCheckDisabled: true 
    xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters"
    xpack.security.enabled: true
    elasticsearch.username: "my_username" 
    elasticsearch.password: "my_password"

    This setting is not required if you configure TLS checking.

    Specify a user who is authorized to use Fleet.

To set up passwords, you can use the documented Elasticsearch APIs or the elasticsearch-setup-passwords command. For example:

./bin/elasticsearch-setup-passwords auto

After running the command, copy the Elastic user name to the Kibana config file. Then restart Kibana.

The /api/ingest_management/setup endpoint can’t reach the package registryedit

In order to install Integrations, the Fleet app needs to connect to an external service called the Elastic Package Registry. For this to work, the Kibana server must be able to connect to https://epr.elastic.co on port 443.

Fleet in Kibana crashesedit

To find more about the error, open your browser’s development console, navigate to the Network tab, and refresh the page. One of the requests to the Fleet API will most likely have returned an error. If the error message doesn’t give you enough information to fix the problem, please contact us in the discuss forum.

Elastic Agent enrollment fails on the host with Client.Timeout exceeded messageedit

Elastic Agent must be able to connect to the Kibana instance to enroll in Fleet. If the agent is unable to connect, you will see the following failure:

fail to enroll: fail to execute request to {kib}:Post http://kibana:5601/api/fleet/agents/enroll?: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

This may occur if the host is unable to connect to Kibana. To troubleshoot the problem:

  1. Check for networking problems. Run the ping command from the host to confirm that it can reach the Kibana instance.
  2. Verify that the URL and port you specified during enrollment are correct for your environment.
  3. Check the enrollment key that you specified during enrollment to confirm that the key is valid. To do this:

    1. In Fleet, go to the Agents tab and click Enrollment Tokens.
    2. Click the eyeball icon to see the secret. The secret should match the string that you used to enroll Elastic Agent on your host.
    3. If the secret doesn’t match, create a new enrollment token and use the new token when you run the elastic-agent enroll command.

Elasticsearch authentication service fails with Authentication using apikey failed messageedit

Fleet requires an encryption key in order to save API keys and encrypt them in Kibana. To provide an API key, set the xpack.encryptedSavedObjects.encryptionKey property in the kibana.yml configuration file. For example:

xpack.encryptedSavedObjects.encryptionKey: "something_at_least_32_characters"

Elastic Agent fails with Agent process is not root/admin or validation failed messageedit

Make sure the user running Elastic Agent has root privileges. If you’re running Elastic Agent in the foreground (and not as a service) on Linux or macOS, run the agent under the root user, for example, sudo or su. Some integrations require root privileges to collect sensitive data.

If you’re using the Endpoint Security integration, also make sure you’re running Elastic Agent under the SYSTEM account.

If you install Elastic Agent as a service as described in Install Elastic Agent and enroll it in Fleet, Elastic Agent runs under the SYSTEM account by default.

To run Elastic Agent under the SYSTEM account, you can:

  1. Download PsExec and extract the contents to a folder, for example, d:\tools.
  2. Open a command prompt as an Administrator (right-click the Command Prompt icon and select Run As Administrator).
  3. From the command prompt, run Elastic Agent under the SYSTEM account:

    d:\tools\psexec.exe -sid "C:\Program Files\Elastic-Agent\elastic-agent.exe" run

Elastic Agent hangs while unenrollingedit

When you unenroll an agent, Fleet waits for acknowledgement from the agent before it completes the unenrollment process. If Fleet doesn’t receive acknowledgement, the status hangs at unenrolling.

If this happens, select Force unenroll from the Actions menu in the Agents list.

This will invalidate all API keys related to the agent and change the status to inactive so that the agent no longer appears in Fleet.

API key is unauthorized to send telemetry to .logs-endpoint.diagnostic.collection-* indicesedit

Telemetry is turned on by default in the Elastic Stack. This helps us learn about the features that our users are most interested in, so we can focus our efforts on making them even better.

If you’ve recently upgraded from version 7.10 to 7.11, you might see the following message when you view Endpoint Security logs:

action [indices:admin/auto_create] is unauthorized for API key id [KbvCi3YB96EBa6C9k2Cm]
of user [fleet_enroll] on indices [.logs-endpoint.diagnostic.collection-default]

This message indicates that Elastic Endpoint does not have the correct permissions to send telemetry. This is a known problem in 7.11 that will be fixed in an upcoming patch release. To remove this message from your logs, you can turn off telemetry for the Endpoint Security integration until the next patch release is available.

  1. In Kibana, go to Fleet > Integrations and click the Installed integrations tab.
  2. Click Endpoint Security, and then click the Policies tab to see all the installed integrations.
  3. Click the integration to edit it.
  4. Under advanced settings, set windows.advanced.diagnostic.enabled to false, then save the integration.