Fleet and Elastic Agent 8.9.0edit

Review important information about the Fleet and Elastic Agent 8.9.0 release.

Security updatesedit

Fleet Server
  • Use a verified base image for building Fleet Server binaries. #2339

Known issuesedit

PGP key download fails in an air-gapped environment


If you’re using an air-gapped environment, we recommended waiting for this issue to be resolved before installing 8.9.x or any higher version, to avoid being unable to upgrade.

Starting from version 8.9.0, when Elastic Agent tries to perform an upgrade, it first verifies the binary signature with the key bundled in the agent. This process has a backup mechanism that will use the key coming from https://artifacts.elastic.co/GPG-KEY-elastic-agent instead of the one it already has.

In an air-gapped environment, the agent won’t be able to download the remote key and therefore cannot be upgraded.


For the upgrade to succeed, the agent needs to download the remote key from a server accessible from the air-gapped environment. Two workarounds are available.

Option 1

If an HTTP proxy is available to be used by the Elastic Agents in your Fleet, add the proxy settings using environment variables as explained in Proxy Server connectivity using default host variables. Please note that you need to enable HTTP Proxy usage for artifacts.elastic.co to bypass this problem, so you can craft the HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables to be used exclusively for it.

Option 2

As the upgrade URL is not customizable, we have to "trick" the system by pointing https://artifacts.elastic.co/ to another host that will have the file.

The following examples require a server in your air-gapped environment that will expose the key you will have downloaded from https://artifacts.elastic.co/GPG-KEY-elastic-agent`.

Example 1: Manual

Edit the Elastic Agent server hosts file to add the following content:

<YOUR_HOST_IP> artifacts.elastic.co

The Linux hosts file path is /etc/hosts.

Windows hosts file path is C:\Windows\System32\drivers\etc\hosts.

Example 2: Puppet

host { 'elastic-artifacts':
  ensure       => 'present'
  comment      => 'Workaround for PGP check'
  ip           => '<YOUR_HOST_IP>'

Example 3: Ansible

- name  : 'elastic-artifacts'
  hosts : 'all'
  become: 'yes'

    - name: 'Add entry to /etc/hosts'
        path: '/etc/hosts'
        line: '<YOUR_HOST_IP> artifacts.elastic.co'

Breaking changesedit

Breaking changes can prevent your application from optimal operation and performance. Before you upgrade, review the breaking changes, then mitigate the impact to your application.

Status command has been changed.

The Elastic Agent status command has been changed so that the default human output now uses a list format and summaries output.

Full human output can be obtained with the new full option. For for information, refer to #2890.

API default error code is now 500.

Previously, when Fleet Server encountered an unexpected error it resulted in a Bad Request response.

Now, any unexpected error returns an Internal Server Error response while keeping most of the current behavior unchanged. On expected failure paths (for example, Agent Inactive, Missing Agent ID, Missing Auth Header) a Bad Request response is returned. For more information, refer to #2531.

host.name field changed to ECS lowercase format.

In Elastic Agent output the host.name field has been changed to lowercase to match Elastic Common Schema (ECS) guidelines. The agent name is also reported in lowercase (AGENT-name becomes agent-name).

After upgrading Elastic Agent to version 8.9.0 or higher, any case-sensitive searches may result in false-positive alerts. For example, a case-sensitive search based on the upper-case AGENT-name could result in an alert such as system.load.1 reported no data in the last 5m for AGENT-name. After upgrading, you may need to manually clear alerts and adjust some searches to match the new host.name format.

New featuresedit

The 8.9.0 release Added the following new and notable features.

  • Adds CloudFormation install method to CSPM. #159994
  • Adds flags to give permissions to write to any dataset and namespace. #157897
  • Disables Agent ID verification for Observability projects. #157400
  • Setup ignore_malformed in Fleet. #157184
Fleet Server
  • A new elastic-api version header is added, allow versioning of the Fleet Server APIs. #2677
  • Support delivery of user-uploaded files to integrations. #2666
Elastic Agent
  • Add the logs subcommand to the agent CLI. #2745 #114
  • Support upgrading to specific snapshots by specifying the build ID. #2752


  • Adds agent integration health reporting in the Fleet UI. #158826
Fleet Server
  • Expose Prometheus metrics on metrics listener (when enabled). Ship Prometheus metrics with apm.Tracer when tracer is enabled. #2610
Elastic Agent
  • Add additional elements to support the Universal Profiling integration. #2881

Bug fixesedit

  • Fixes a bug that prevented index.mapping settings to be propagated into component templates from default settings. #157289
Fleet Server
  • Fixes a bug during Elastic Agent upgrades where action_seq_no was overwritten with 0 if the ackToken was not provided. #2582
  • Fixes an issue that caused Fleet Server to go offline after reboot. #2697 #2431
Elastic Agent
  • Change monitoring socket to use a hash of the ID instead of the actual ID. #2912
  • Fix the drop processor for monitoring component logs to use the component.id instead of the dataset. #2982 #2388
  • Update Node version to 18.16.0. #2696