Skip to content

[Internal]: Add a known issue regarding osquery fails for new installs with the error "Failed: pid 12345 exited with code 1" #1528

New issue
New issue
Closed
Bug
#1533
Closed
[Internal]: Add a known issue regarding osquery fails for new installs with the error "Failed: pid 12345 exited with code 1"#1528
Bug
#1533
Assignees
alexandra5000
Labels
documentationImprovements or additions to documentationknown-issuerelease-notes
@alexandra5000

Description

@alexandra5000
alexandra5000
opened on May 29, 2025

Description

We need to create a known issue for elastic/elastic-agent#8245 in https://github.com/elastic/docs-content/tree/main/release-notes/fleet-elastic-agent.

Resources

The output of the elastic-agent status command shows an error similar to the one below:

        units:
            input-osquery-default-4b464ff8-e88a-47df-a99f-b98615bde173:
                message: 'Failed: pid ''95375'' exited with code ''1'''
                state: 4

This happens because the osquery.app/ directory is unconditionally stripped at installation time because of an omission directing agent to preserve this file on MacOS.

Starting contents of the components/ directory showing that the osquery.app directory exists:

❯ ls ~/Downloads/builds/elastic-agent-9.1.0-SNAPSHOT-darwin-aarch64/data/elastic-agent-ea8a07/components
LICENSE.txt                     checksum.yml                    fleet-server.spec.yml
NOTICE.txt                      endpoint-security               lenses
agentbeat                       endpoint-security-resources.zip module
agentbeat.spec.yml              endpoint-security.spec.yml      osquery-extension.ext
certs                           fleet-server                    osquery.app

Install the agent in development mode:

❯ sudo ./elastic-agent install --develop -f
Installing into development namespace; this is an experimental and currently unsupported feature.
[==  ] Service Started  [4s] Elastic Agent - Development successfully installed, starting enrollment.
[==  ] Done  [4s]

Elastic Agent - Development has been successfully installed.

Resulting installed agent is missing the osquery.app directory:

❯ sudo ls /Library/Elastic/Agent-Development/data/elastic-agent-9.1.0-SNAPSHOT-ea8a07/components/
agentbeat                       endpoint-security               lenses
agentbeat.spec.yml              endpoint-security-resources.zip module
certs                           endpoint-security.spec.yml      osquery-extension.ext

Which documentation set does this change impact?

Elastic On-Prem only

Feature differences

N/A

What release is this request related to?

9.0

Serverless release

N/A

Collaboration model

The documentation team

Point of contact.

Main contact: @cmacknz

Stakeholders: @alexandra5000

Metadata

Metadata

Assignees

Labels

documentationImprovements or additions to documentationknown-issuerelease-notes

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions