There is a known issue where it is not possible to set the log level on individual Elastic Agents as the Agent logging level setting is not available on the Elastic Agent’s details page.

Impact

No workaround is available at the moment, but a fix is expected to be available in a future patch release. Note that the agent logging level can still be set on a per-policy basis in the agent policy’s Settings tab.

Elastic Agent does not process Windows security events

Details

There is a known issue where Elastic Agent does not process Windows security events on hosts running Windows 10, Windows 11, and Windows Server 2022.

Impact

No workaround is available at the moment, but a fix is expected to be available in Elastic Agent 8.19.1.

Elastic Agents remain in an "Upgrade scheduled" state

Details

There is a known issue where Elastic Agent remains in an Upgrade scheduled state when a scheduled Elastic Agent upgrade is cancelled. Attempting to restart the upgrade on the UI returns an error: The selected agent is not upgradeable: agent is already being upgraded..

Impact

Until this issue is fixed in a later patch version, you can call the Upgrade an agent endpoint of the Kibana Fleet API with the force parameter set to true to force-upgrade the Elastic Agent:

curl --request POST \
  --url https://<KIBANA_HOST>/api/fleet/agents/<AGENT_ID>/upgrade \
  --user "<SUPERUSER_NAME>:<SUPERUSER_PASSWORD>" \
  --header 'Content-Type: application/json' \
  --header 'kbn-xsrf: true' \
  --data '{"version": "<VERSION>","force": true}'

To force-upgrade multiple Elastic Agents, call the Bulk upgrade agents endpoint of the Kibana Fleet API with the force parameter set to true:

curl --request POST \
  --url https://<KIBANA_HOST>/api/fleet/agents/bulk_upgrade \
  --user "<SUPERUSER_NAME>:<SUPERUSER_PASSWORD>" \
  --header 'Content-Type: application/json' \
  --header 'kbn-xsrf: true' \
  --data '{"version": "<VERSION>","force": true,"agents":["<AGENT_IDS>"]}'

fleet-agents template is missing mappings

Details

On May 2, 2025 a known issue was discovered that the .fleet-agents index template was missing a mapping for the local_metadata.complete attribute. This may cause agent checkins to be rejected and the agents to appear as offline.

In this Fleet’s logs this will appear as:

elastic fail 400: document_parsing_exception: [1:209] object mapping for [local_metadata] tried to parse field [local_metadata] as object, but found a concrete value
Eat bulk checkin error; Keep on truckin'

And in the Elastic Agent logs it will appear as:

"log.level":"error","@timestamp":"2025-04-22:12:35:25.295Z","message":"Eat bulk checkin error; Keep on truckin'","component":{"binary":"fleet-server","dataset":"elastic_agent.fleet_server","id":"fleet-server-es-containerhost","type":"fleet-server"},"log":{"source":"fleet-server-es-containerhost"},"service.type":"fleet-server","error.message":"elastic fail 400: document_parsing_exception: [1:209] object mapping for [local_metadata] tried to parse field [local_metadata] as object, but found a concrete value","ecs.version":"1.6.0","service.name":"fleet-server","ecs.version":"1.6.0"

This attribute was added to the template in versions: 8.17.11 8.18.3, and 8.19.3.

Further investigation revealed that the .fleet-agents index template was not correctly applied due to an unchanged _meta.managed_index_mappings_version number. This change also affects other attributes as well, such as upgrade_attempts, namespaces, unprivileged, and unhealthy_reason. If there is an error related to any of these attributes, there will be a similar error message in the logs.

Impact

Updating to a version with a fixed _meta.managed_index_mappings_version will correctly apply the new index template. The fixed versions are 8.18.8, 8.19.4, 9.0.8, 9.1.4.

New features

edit

The 8.19.0 release Added the following new and notable features.

Elastic Agent

Set replicas for Gateway Collector. #7011
Add nopexporter to EDOT Collector.
Set collectors fullnameOverride for EDOT kube-stack values. #7754 #7381
Add cumulativetodeltaprocessor to EDOT Collector.
Add apmconfig and apikeyauth OTel extensions.
Add bearertokenauth OTel extension.
Remove resource/k8s processor and use k8sattributes processor for service attributes. #8599

This PR removes the resource/k8s processor in honour of the k8sattributes processor that provides native support for the service attributes: https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/v0.127.0/processor/k8sattributesprocessor#configuring-recommended-resource-attributes

This change is aligned with the respective semantic conventions' guidance: https://opentelemetry.io/docs/specs/semconv/non-normative/k8s-attributes/#service-attributes
Rename OTel collector config file in diagnostics from otel-final.yaml to otel-merged.yaml.

Fleet Server

Add ability for enrollment to take an agent id. #4290 #4226

Enhancements

edit

Elastic Agent

Allow upgrading deb or rpm agents when using Elastic Defend with tamper protection. #6907 #6394
Include all metadata that is sent to Fleet in the agent-info.yaml file in diagnostics by default. #7029
Add ApiKey prefix to Motel host configurations. #7063
Add elastic.agent.fips to local_metadata. #9159 #8939 #9029 #9095 #8671 #8672 #9143 #7112 #7112
Validate pbkdf2 settings when in FIPS mode. #7187
FIPS compliant agent file vault. #7360
With this change FIPS compliant agents will only be able to upgrade to other FIPS compliant agents. This change also restricts non-FIPS to FIPS upgrades as well. #7312
Updated the error messages returned for FIPS upgrades. #7453
Update OTel components to v0.121.0.
Update OTel components to v0.122.0. #7725
Update OTel components to v0.123.0. #7996
Retry enrollment requests on any error. #8056
Update OTel components to v0.125.0.
Update OTel components to v0.127.0.
Remove deprecated OTel Elasticsearch exporter config *_dynamic_index from code and samples. #8592
Include the forwardconnector as an EDOT collector component. #8753
Update OTel components to v0.129.0.
Update apm config extension to v0.4.0.
Update Elastic trace processor to v0.7.0.
Update Elastic APM connector to v0.4.0.
Update API key auth extension to v0.2.0.
Update Elastic infra metrics processor to v0.16.0.

Fleet Server

Bump Go to v1.23.5. #4353
Clear agent.upgrade_attempts when upgrade is complete. #4528
Pbkdf2 settings validation is FIPS compliant. #4542
Update to Go v1.24.0. #4543
Add version metadata to version command output. #4820
Update Go to v1.24.3. #4891

Upgrades

edit

Elastic Agent

Bump apmconfig extension to v0.3.0.

Bug fixes

edit

Elastic Agent

Fix TSDB version_conflict_engine_exception caused by incorrect kube-stack Helm values. #9159 #8939 #9029 #9095 #8671 #8672 #9143 #6928
Make enroll command backoff more conservative. #9159 #8939 #9029 #9095 #8671 #8672 #9143 #6983 #6761
Add missing null checks to AST methods. #9159 #8939 #9029 #9095 #8671 #8672 #9143 #7009 #6999
Fixes an issue where fixpermissions on Windows incorrectly returned an error message due to improper handling of Windows API return values. #7059 #6917
Support IPv6 hosts in enroll URL. #7036
Support IPv6 host in gRPC config. #7035
Support IPv6 host in agent monitoring HTTP config. #7073
Rotate logger output file when writing to a symbolic link. elastic-agent-pull}6938[#6938]
Do not fail Windows permission updates on missing files/paths. #7305 #7301
Make otelcol executable in the Docker image. #9159 #8939 #9029 #9095 #8671 #8672 #9143 #7345
Fix Elasticsearch exporter configuration in kube-stack values. #9159 #8939 #9029 #9095 #8671 #8672 #9143 #7380
Ship journalctl in the elastic-agent, elastic-agent-complete, and elastic-agent-ubi Docker images to enable reading journald logs. Journalctl is not present on Wolfi images. #8492 #44040
Preserve agent run state on DEB and RPM upgrades. #7999 #3832
Use --header from enrollment when communicating with Fleet Server. #8071 #6823
Address a race condition that can occur in agent diagnostics if log rotation runs while logs are being zipped.
Use paths.tempdir for diagnostics actions. #8472
Use Debian 11 to build Linux/ARM to match Linux/AMD64. Upgrades Linux/ARM64’s statically linked glibc from 2.28 to 2.31. #8497
Relax file ownership check to allow admin re-enrollment on Windows. #8503 #7794
Remove incorrect logging that unprivileged installations are in beta. #8715 #8689
Ensure standalone Elastic Agent uses log level from configuration instead of persisted state. #8784 #8137
Resolve deadlocks in runtime checkin communication. #8881 #7944
Removed init.d support from RPM packages. #8896 #8840

Fleet Server

Added context deadline around flush bulk queue. #5179 #5043 #5062 #5063 #3986
Fix server.address field in HTTP logs. #5179 #5043 #5062 #5063 #4142
Remove race in remote bulker access. #5179 #5043 #5062 #5063 #4171 #4170
Audit/unenroll should not set unenrolled_at attribute. #4221 #6213
Remove auth requirement from PGP key endpoint. #5179 #5043 #5062 #5063 #4256 #4255
Return HTTP 429 when connection limit is reached. #5179 #5062 #5063 #4402 #4200
Fix host parsing in Elasticsearch output diagnostics. #4765
Redact output in bootstrap config logs. #4775
Mutex protection for remote bulker config. #4776
Enable dead code elimination. #4784
Include the base error for JSON decode error responses. #5069

« Fleet and Elastic Agent 8.19.1 Appendix A: Install a Fleet-managed Elastic Agent »