Unable to download Elastic Agent from Fleet endpoint

[ajmeese7]

Version

2.4.140

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

32

RAM

64GB

Storage for /

121G

Storage for /nsm

271G

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

On the endpoint /kibana/app/fleet/agents, when you click "Add Agent", it has these instructions:

Unfortunately, I cannot cURL that endpoint:

$ curl -L -O http://securityonion:8443/artifacts/beats/elastic-agent/elastic-agent-8.17.6-linux-x86_64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:01:05 --:--:--     0
curl: (52) Empty reply from server

And hitting it manually fails, despite the hostname working normally to access all other URLs and interact with Security Onion via the web interface. I don't know if there is some firewall that I need to change to allow access to this specific port/endpoint, but I have checked the documentation and failed to find anything indicating as much.

When I look at the Nginx access logs, this is all I see realated to the endpoint:

$ cat /opt/so/log/nginx/access.log | grep "beats/elastic-agent"
192.168.1.222 - - [06/May/2025:17:14:01 +0000] "GET /artifacts/beats/elastic-agent/elastic-agent-8.17.6-linux-x86_64.tar.gz HTTP/1.1" 000 0 "-" "curl/8.5.0" "-"
192.168.1.166 - - [06/May/2025:17:39:42 +0000] "GET /artifacts/beats/elastic-agent/elastic-agent-8.17.6-linux-x86_64.tar.gz HTTP/1.1" 000 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36" "-"

My artifacts configuration in the so-nginx file /etc/nginx/nginx.conf is unchanged, I see:

location /artifacts/ {
        try_files $uri =206;
        proxy_read_timeout    90;
        proxy_connect_timeout 90;
        proxy_set_header      Host $host;
        proxy_set_header      X-Real-IP $remote_addr;
        proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header      Proxy "";
        proxy_set_header      X-Forwarded-Proto $scheme;
}

I do not know what is going wrong, I have a pretty standard installation and haven't made any crazy configurations. Can anybody help me track down the cause of this so I can download/update my Elastic Agents internally, instead of having to manually grab them from elastic.co?

I'm not even sure which machine the artifacts folder would be in, to confirm that the artifacts properly exist on my installation.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

Use the Elastic Agent installers that are available from the Downloads link in SOC - those are preconfigured for your grid and ready to go.

[ajmeese7]

That's not a solution to the problem I described, I want to know why I cannot download the artifacts like "Add Agent" tells me to.

[TOoSmOotH]

That's not a solution to the problem I described, I want to know why I cannot download the artifacts like "Add Agent" tells me to.

That is because you are not trying to download artifacts. You are trying to download the elastic agent which is not hosted at that location.

[ajmeese7]

So why would it say to download it from that location?

[TOoSmOotH]

So why would it say to download it from that location?

Because that is the default Elastic location but you are using Security Onion. We removed it from that location because if you download it from there it won't enroll automatically. The proper location is the downloads link in SOC.

[dohabandit]

I think something is clearly wrong then in 2.4.150.
I can download the elastic agent using curl right this instant, but the version is somehow mismatched. The script fragment produced in the enrollment page wants to download 8.17.6 and curl fails using that URL, but if I change the version, curl succeeds just fine using the same version the fleetserver is running on (8.17.3).

sumus3r@sumserv3r:/home/sumus3r# mkdir curltest sumus3r@sumserv3r:/home/sumus3r# cd curltest/ sumus3r@sumserv3r:/home/sumus3r/curltest# ls -la total 8 drwxr-xr-x 2 sumus3r sumus3r 4096 May 13 22:43 . drwxr-x--- 13 sumus3r sumus3r 4096 May 13 22:43 .. sumus3r@sumserv3r:/home/sumus3r/curltest# curl -L -O http://x.x.x.x:8443/artifacts/beats/elastic-agent/elastic-agent-8.17.3-linux-x86_64.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 379M 100 379M 0 0 97.0M 0 0:00:03 0:00:03 --:--:-- 97.0M sumus3r@sumserv3r:/home/sumus3r/curltest# ls -la total 388308 drwxr-xr-x 2 sumus3r sumus3r 4096 May 13 22:44 . drwxr-x--- 13 sumus3r sumus3r 4096 May 13 22:43 .. -rw-r--r-- 1 sumus3r sumus3r 397611014 May 13 22:44 elastic-agent-8.17.3-linux-x86_64.tar.gz sumus3r@sumserv3r:/home/sumus3r/curltest# curl -L -O http://x.x.x.x:8443/artifacts/beats/elastic-agent/elastic-agent-8.17.6-linux-x86_64.tar.gz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- 0:00:46 --:--:-- 0^C sumus3r@sumserv3r:/home/sumus3r/curltest#

$ ls /nsm/elastic-fleet/ artifacts so_agent-installers $ ls /nsm/elastic-fleet/artifacts/ beats elastic-agent_SO-8.17.3.md5 elastic-agent_SO-8.17.3.tar.gz $ ls /nsm/elastic-fleet/artifacts/beats/ elastic-agent $ ls /nsm/elastic-fleet/artifacts/beats/elastic-agent/ elastic-agent-8.17.3-darwin-aarch64.tar.gz elastic-agent-8.17.3-darwin-x86_64.tar.gz.asc elastic-agent-8.17.3-linux-x86_64.tar.gz.sha512 elastic-agent-8.17.3-darwin-aarch64.tar.gz.asc elastic-agent-8.17.3-darwin-x86_64.tar.gz.sha512 elastic-agent-8.17.3-windows-x86_64.zip elastic-agent-8.17.3-darwin-aarch64.tar.gz.sha512 elastic-agent-8.17.3-linux-x86_64.tar.gz elastic-agent-8.17.3-windows-x86_64.zip.asc elastic-agent-8.17.3-darwin-x86_64.tar.gz elastic-agent-8.17.3-linux-x86_64.tar.gz.asc elastic-agent-8.17.3-windows-x86_64.zip.sha512 $ ls /nsm/elastic-fleet/so_agent-installers/ so-elastic-agent_darwin_amd64 so-elastic-agent_darwin_arm64 so-elastic-agent_linux_amd64 so-elastic-agent_windows_amd64 so-elastic-agent_windows_amd64_msi

[dohabandit]

I'm not sure if this is related, but I had my SO instance blow up during the last soup upgrade to 2.4.150. (fleetserver got messed up somehow). So I decided to shutdown that VM and just build a pristine new (standalone) SO server and see how it works installing directly from the ISO as a greenfield install. So far so good, and then it wasn't so good...

I started to uninstall elastic agents from some endpoints and then use the standard process in fleet to enroll new agents. My curl downloads were failing. Hrmmm? I then noticed the version it was trying to download was 8.17.6, but when I looked at the SO server the bits weren't there and the fleet server was on 8.17.3. I manually changed the download URL to use 8.17.3 and VIOLA my download worked fine. It wasn't a location issue, it was a version mismatch issue. Enrollement worked fine thereafter using the --insecure switch since it is running with self-signed certs.

Anyway, I now notice that in fleet all the agents I enrolled say that an upgrade is available, but the fleetserver itself is stuck on 8.17.3 and not upgradeable. I have never seen a case in the past where I was able to upgrade an endpoint to a version HIGHER than the fleetserver version, but the interface is stating that an upgrade to 8.17.6 is available.

I decided to try upgrading an endpoint and it failed after a while. Logs are showing that it was unable to retrieve the update package, but instead of the /artifacts/beats/elastic-agent path, it is showing a local file system path starting with /opt. I have also noticed that the fleetserver itself is intermittently showing as OFFLINE. Never saw that behavior before either. It comes back later as healthy though.

Everything was good in 2.4.141.

[defensivedepth]

@ajmeese7 Please review the documentation again - https://docs.securityonion.net/en/2.4/elastic-agent.html#deployment

To deploy an Elastic agent to an endpoint, go to the Security Onion Console Downloads page and download the proper Elastic agent for the operating system of that endpoint.

We just added the following note:

Within the Elastic Fleet interface, there is an Add Agent button - it is not recommended to use this particular method to install the Elastic Agent, as it requires much more manual configuration.

Also, even though the Elastic Fleet interface says that there is an update available, Security Onion is currently on Elastic stack version 8.17.3, so those agents can't be upgraded past that.

[defensivedepth]

To be clear though, @dohabandit you can override the agent policy using the SO-generated installers like so:

./installer -token=bXdVWHpaVUJFSFhaZkY0ZXdXQm06NElDNkVFeUxRbjJJQjhrZkcwMkdsQQ==

That token comes from the Fleet interface, under Enrollment Tokens.

[samuel809]

This is an important (overlooked by me) detail, in 2.4.150 for example the default upgrade is option is to 8.17.6 for an already registered agent. It does not complete because the grid is in 8.17.3. if you do a new installation of an agent, 8.17.3 is the one installed.

thanks.

[dohabandit]

I haven't seen this behavior before where it shows upgrades available that are in fact not available.

I didn't think it mattered in the past whether I used the downloads page or the fleet installer page to deploy agents, it just seemed like the SO download package was handling the issue with the SO nodes having potentially self-signed "insecure" certificates installed. I just specified the --insecure flag and figured that was the only real issue using the fleet installer method. Now I am wondering what other things they might be doing with respect to the elastic agent in those installer files! Might explain why I was seeing some periodic certificate errors in logs even though I was manually copying the public/private keys to the trust store on the agents (in a production system I'd use a legit CA infrastructure)

BTW, the SO documentation for installing the Elastic Agents mentions downloading the installer packages and executing them, but the documentation pages make no mention of using the -token switch with the enrollment token secret.
I think the documentation should be updated to include this -token switch and to mention to not deploy via fleet or perform any upgrade operations via fleet or they will potentially fail.

[Hyperadministrator]

Within the Elastic Fleet interface, there is an Add Agent button - it is not recommended to use this particular method to install the Elastic Agent, as it requires much more manual configuration.

I would say current solution makes much more manual work into managing Elastic Fleet Agents and is confusing.

[TOoSmOotH]

Within the Elastic Fleet interface, there is an Add Agent button - it is not recommended to use this particular method to install the Elastic Agent, as it requires much more manual configuration.

I would say current solution makes much more manual work into managing Elastic Fleet Agents and is confusing.

Clicking a link and downloading the agent then double clicking the install that has the keys built in is more difficult and confusing?