Loading

Elastic Agent release notes

Stack

Review the changes, fixes, and more in each version of Elastic Agent.

To check for security updates, go to Security announcements for the Elastic Stack.

Related release notes

Elastic Agent integrates and manages Beats for data collection, and Beats changes may impact Elastic Agent functionality. To check for Elastic Agent changes in Beats, go to Beats release notes.

  • Add the dockerstats OpenTelemetry receiver. #9364
  • Bump kube-stack Helm Chart to 0.9.1 and enable the cluster collector. #9535
  • Enhanced loggers for easier debugging of upgrade related issues. #9536
  • Redact secrets from pre-config, computed-config, components-expected, and components-actual files in diagnostics archive. #9560
  • Retry service start command upon failure with 30-second delay. #9313
  • Fix reporting of scheduled upgrade details across restarts and cancels. #9562 #8778
  • Enable root user to re-enroll unprivileged agent for mac and linux. #8544
  • Fix missing liveness healthcheck during container enrollment. #9612 #9611
  • Enable admin user to re-enroll unprivileged agent for windows. #9623 #8544
  • Treat exit code 284 from Endpoint binary as non-fatal. #9687
  • Ensure failed upgrade actions are removed from queue and details are set. #9634 #9629

  • Upgrade to Go 1.24.6. #9287

  • On Windows, retry saving the Agent information file to disk. #9224 #5862

    Saving the Agent information file involves renaming/moving a file to its final destination. However, on Windows, it is sometimes not possible to rename/move a file to its destination file because the destination file is locked by another process (e.g. antivirus software). For such situations, we now retry the save operation on Windows.

  • Correct hints annotations parsing to resolve only ${kubernetes.*} placeholders instead of resolving all ${...} patterns. #9307

  • Treat exit code 28 from Endpoint binary as non-fatal. #9320

  • Fixed jitter backoff strategy reset. #9342 #8864

  • Fix Docker container failing to start with no matching vars: ${env.ELASTICSEARCH_API_KEY:} and similar errors by restoring support for : to set default values. #9451 #9328

  • Fix deb upgrade by stopping elastic-agent service before stopping endpoint. #9462

No new features, enhancements, or fixes.

  • Don't overwrite elasticsearch output headers from enrollment --headers flag. #9199 #9197

This release also includes: Deprecations.

  • Adds a new configuration setting, agent.upgrade.rollback.window. #8065 #6881

    The value of the agent.upgrade.rollback.window setting determines the period after upgrading Elastic Agent when a rollback to the previous version can be triggered. This is an optional setting, with a default value of 168h (7 days). The value can be any string that is parseable by https://pkg.go.dev/time#ParseDuration.

  • Remove resource/k8s processor and use k8sattributes processor for service attributes. #8599

    This PR removes the resource/k8s processor in honour of the k8sattributes processor that provides native support for the Service attributes: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/v0.127.0/processor/k8sattributesprocessor#configuring-recommended-resource-attributes

    This change is aligned with the respective Semantic Conventions' guidance: https://opentelemetry.io/docs/specs/semconv/non-normative/k8s-attributes/#service-attributes

  • Add elastic.agent.fips to local_metadata. #7112

    Add elastic.agent.fips (bool) attribute to local_metadata sent with enroll and checkin requests. The value of this attribute indicates if the agent is a FIPS-capable distribution.

  • Validate pbkdf2 settings when in FIPS mode. #7187

  • FIPS-capable agent file vault. #7360

    Change elastic file vault implementation to allow variable length salt sizes only in FIPS enabled agents. Increase default salt size to 16 for FIPS compliance. Non-FIPS agents are unchanged.

  • With this change FIPS-capable agents will only be able to upgrade to other FIPS-capable agents. This change also restricts non-fips to fips upgrades as well. #7312 #4811

  • Updated the error messages returned for fips upgrades. #7453

  • Retry enrollment requests on any error. #8056

    If any error is encountered during an attempted enrollment, the elastic-agent will backoff and retry. Add a new --enroll-timeout flag and FLEET_ENROLL_TIMEOUT env var to set how long it tries for, default 10m. A negative value disables the timeout.

  • Remove deprecated otel elasticsearch exporter config *_dynamic_index from code and samples. #8592

  • Include the forwardconnector as an EDOT collector commponent. #8753

    https://github.com/open-telemetry/opentelemetry-collector/tree/main/connector/forwardconnector

  • Update OTel components to v0.129.0.

  • Update APM Config extension to v0.4.0.

  • Update Elastic Trace processor to v0.7.0.

  • Update Elastic APM connector to v0.4.0.

  • Update API Key Auth extension to v0.2.0.

  • Update Elastic Infra Metrics processor to v0.16.0.

  • Upgrade to Go 1.24.3. #8109

  • Correctly handle sending signal to child process. #7738 #6875

  • Preserve agent run state on DEB and RPM upgrades. #7999 #3832

  • Use --header from enrollment when communicating with Fleet Server. #8071 #6823

    The --header option for the enrollment command now adds the headers to the communication with Fleet Server. This allows a proxy that requires specific headers present for traffic to flow to be placed in front of a Fleet Server to be used and still allowing the Elastic Agent to enroll.

  • Address a race condition that can occur in Agent diagnostics if log rotation runs while logs are being zipped.

  • Use paths.TempDir for diagnostics actions. #8472

  • Use Debian 11 to build linux/arm to match linux/amd64. Upgrades linux/arm64's statically linked glibc from 2.28 to 2.31. #8497

  • Relax file ownership check to allow admin re-enrollment on Windows. #8503 #7794

    On Windows, the agent previously enforced a strict file ownership (SID) check during re-enrollment, which prevented legitimate admin users from re-enrolling the agent if the owner did not match. This PR changes the Windows-specific logic to a no-op, allowing any admin to re-enroll the agent. This restores usability for admin users, but reintroduces the risk that privileged re-enrollment can break unprivileged installs. The Unix-specific ownership check remains unchanged.

  • Remove incorrect logging that unprivileged installations are in beta. #8715 #8689

    Unprivileged installations went GA in 8.15.0: https://www.elastic.co/docs/reference/fleet/elastic-agent-unprivileged

  • Ensure standalone Elastic Agent uses log level from configuration instead of persisted state. #8784 #8137

  • Resolve deadlocks in runtime checkin communication. #8881 #7944

  • Removed init.d support from RPM packages. #8896 #8840

  • Bump kube-stack Helm Chart to 0.9.1 and enable the cluster collector. #9535
  • Enhanced loggers for easier debugging of upgrade related issues. #9536
  • Redact secrets from pre-config, computed-config, components-expected, and components-actual files in diagnostics archive. #9560
  • Retry service start command upon failure with 30-second delay. #9313
  • Fix reporting of scheduled upgrade details across restarts and cancels. #9562 #8778
  • Enable root user to re-enroll unprivileged agent for mac and linux. #9603 #8544
  • Fix missing liveness healthcheck during container enrollment. #9612 #9611
  • Enable admin user to re-enroll unprivileged agent for windows. #9623 #8544
  • Treat exit code 284 from Endpoint binary as non-fatal. #9687
  • Ensure failed upgrade actions are removed from queue and details are set. #9634 #9629

  • Upgrade to Go 1.24.6. #9287

  • On Windows, retry saving the Agent information file to disk. #9224 #5862

    Saving the Agent information file involves renaming/moving a file to its final destination. However, on Windows, it is sometimes not possible to rename/move a file to its destination file because the destination file is locked by another process (e.g. antivirus software). For such situations, we now retry the save operation on Windows.

  • Correct hints annotations parsing to resolve only ${kubernetes.*} placeholders instead of resolving all ${...} patterns. #9307

  • Treat exit code 28 from Endpoint binary as non-fatal. #9320

  • Fixed jitter backoff strategy reset. #9342 #8864

  • Fix Docker container failing to start with no matching vars: ${env.ELASTICSEARCH_API_KEY:} and similar errors by restoring support for : to set default values. #9451 #9328

  • Fix deb upgrade by stopping elastic-agent service before upgrading. #9462

No new features, enhancements, or fixes.

  • Add file logs only managed OTLP input kube-stack configuration. #8785

  • Remove incorrect logging that unprivileged installations are in beta. #8715 #8689

    Unprivileged installations went GA in 8.15.0: https://www.elastic.co/docs/reference/fleet/elastic-agent-unprivileged

  • Ensure standalone Elastic Agent uses log level from configuration instead of persisted state. #8784 #8137

  • Resolve deadlocks in runtime checkin communication. #8881 #7944

  • Removed init.d support from RPM packages. #8896 #8840

  • Address a race condition that can occur in Agent diagnostics if log rotation runs while logs are being zipped. #8215

  • Use paths.TempDir for diagnostics actions. #8472

  • Relax file ownership check to allow admin re-enrollment on Windows. #8503 #7794

    On Windows, the agent previously enforced a strict file ownership (SID) check during re-enrollment, which prevented legitimate admin users from re-enrolling the agent if the owner did not match. This PR changes the Windows-specific logic to a no-op, allowing any admin to re-enroll the agent. This restores usability for admin users, but reintroduces the risk that privileged re-enrollment can break unprivileged installs. The Unix-specific ownership check remains unchanged.

  • Upgrade Go version to 1.24.3. #8109

  • Preserve agent run state on DEB and RPM upgrades. #7999 #3832

    Improves the upgrade process for Elastic Agent installed using DEB or RPM packages by copying the run directory from the previous installation into the new version's folder

This release also includes: Breaking changes.

  • Add nopexporter to EDOT Collector. #7788
  • Set collectors fullnameOverride for edot kube-stack values. #7754 #7381
  • Update OTel components to v0.121.0. #7686
  • Fix Managed OTLP Helm config to use current image repo. #7882

This release also includes: Breaking changes.

  • Adds the Azure Asset Inventory definition to Cloudbeat for Elastic Agent #5323
  • Adds Kubernetes deployment of the Elastic Distribution of OTel Collector named "gateway" to the Helm kube-stack deployment for Elastic Agent #6444
  • Adds the filesource provider to composable inputs. The provider watches for changes of the files and updates the values of the variables when the content of the file changes for Elastic Agent #6587 and #6362
  • Adds the jmxreceiver to the Elastic Distribution of OTel Collector for Elastic Agent #6601
  • Adds support for context variables in outputs as well as a default provider prefix for Elastic Agent #6602 and #6376
  • Adds the Nginx receiver and Redis receiver OTel components for Elastic Agent #6627
  • Adds --id (ELASTIC_AGENT_ID environment variable for container) and --replace-token (FLEET_REPLACE_TOKEN environment variable for container) enrollment options for Elastic Agent #6498
  • Updates Go version to 1.22.10 in Elastic Agent #6236
  • Adds the Filebeat receiver into Elastic Agent #5833
  • Updates OTel components to v0.119.0 in Elastic Agent #6713
  • Fixes logical race conditions in the kubernetes_secrets provider in Elastic Agent #6623
  • Resolves the proxy to inject into agent component configurations using the Go http package in Elastic Agent #6675 and #6209