Loading

Elastic Security agentless integrations FAQs

Serverless Security Stack

Frequently asked questions and troubleshooting steps for Elastic Security's agentless CSPM integration.

When I make a new integration, when will I see the agent appear on the Integration Policies page?

After you create a new agentless integration, the new integration policy may show a button that says Add agent instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete.

Serverless Stack 9.1.0

Agentless agents (which run on Elastic's infrastructure to enable agentless integrations) do not appear on the Fleet page by default. To view them on this page:

Add the following query to the end of the Fleet page's URL: ?showAgentless=true.

Go to the Settings tab of the Fleet page. Navigate to the Advanced Settings section, and turn on the Show agentless resources toggle.

How do I troubleshoot an Offline agent?

For agentless integrations to successfully connect to Elastic Security, the Fleet server host value must be the default. Otherwise, the agent status on the Fleet page will be Offline, and logs will include the error [elastic_agent][error] Cannot checkin in with fleet-server, retrying.

To troubleshoot this issue:

  1. Find Fleet in the navigation menu or use the global search field. Go to the Settings tab.
  2. Under Fleet server hosts, click the Actions button for the policy named Default. This opens the Edit Fleet Server flyout. The policy named Default should have the Make this Fleet server the default one setting enabled. If not, enable it, then delete your integration and create it again.
Note

If the Make this Fleet server the default one setting was already enabled but problems persist, it’s possible someone changed the default Fleet server’s URL value. In this case, contact Elastic Support to find out what the original URL value was, update the settings to match this value, then delete your integration and create it again.

On versions of Elastic Stack before v9.2, agentless integrations can't be upgraded to newer versions of the integration. To get a newer version in your Elastic Stack environment, upgrade to Elastic Stack v9.2+ or delete and re-install the desired integration.

How do I troubleshoot an Unhealthy agent?

On the Fleet page, agents associated with agentless integrations have names that begin with agentless. To troubleshoot an Unhealthy agent:

  1. Go to the Settings tab of the Fleet page. Go to the Advanced Settings section, and turn on the Show agentless resources toggle.
  2. In Fleet, select the unhealthy agent.
  3. From the Actions menu, select Request diagnostics .zip.
  4. Download and unzip the diagnostics bundle. Refer to Common problems with Fleet and Elastic Agent for more information.

How do I delete an agentless integration?

Note

Deleting your integration will remove all associated resources and stop data ingestion.

When you create a new agentless CSPM integration, a new agent policy appears within the Agent policies tab on the Fleet page, but you can’t use the Delete integration button on this page. Instead, you must delete the integration from the CSPM Integration’s Integration policies tab.

  1. Find Integrations in the navigation menu or use the global search field, then search for and select CSPM.
  2. Go to the CSPM Integration’s Integration policies tab.
  3. Find the integration policy for the integration you want to delete. Click Actions, then Delete integration.
  4. Confirm by clicking Delete integration again.