Skip to content

[beats receivers] Output translation does not use correct TLS configuration #9803

New issue
New issue
Closed
#9257
Closed
[beats receivers] Output translation does not use correct TLS configuration#9803
#9257
Labels
Team:Elastic-Agent-Data-PlaneLabel for the Agent Data Plane teambugSomething isn't working
@belimawr

Description

@belimawr
belimawr
opened on Sep 8, 2025

When enabling agent.monitoring._runtime_experimental: "otel" the TLS configuration of the output is not translated to the Beats receivers configuration.

Steps to reproducs

1. Create a stack using Elastic-Package (easy way to use custom TLS certificates)

elastic-package stack up -v -d --version=9.2.0-SNAPSHOT

2. Create a log file constantly appending data to it (e.g: using flog)

flog -d1 -s1 -f rfc5424 -w -o /tmp/flog.log -t log &

3.Create a policy with the Custom Logs (Filestream) integration

When adding the integration set paths to /tmp/flog.log

4. Deploy the Elastic-Agent following the instructions on Kibana and adding --insecure

sudo ./elastic-agent install --url=https://fleet-server:8220 --enrollment-token=a2F3SEtwa0JhQm4yRzJpWDNKcTA6Mnl6N0xVM3dINnp1THdycmdCaUhLdw== -insecure

5. Confirm the Elastic-Agent is correctly sending data (both integration and monitoring)

6. Go to Dev Tools and set the monitoring runtime to otel

Go to Dev Tools and run the request below. Don't forget to edit the Policy ID to match yours.

PUT kbn:/api/fleet/agent_policies/<POLICY ID>
{
   "name": "Test policy",
    "namespace": "default",
    "overrides": {
         "agent": {
              "monitoring": {
                "_runtime_experimental": "otel"
              }
            }
    }
}

7. Run elastic-agent status and confirm the TLS settings are not valid in otel mode:

root@archlinux /home/vagrant/elastic-agent-9.2.0-SNAPSHOT-linux-x86_64 % elastic-agent status                
┌─ fleet
│  └─ status: (HEALTHY) Connected
└─ elastic-agent
   ├─ status: (DEGRADED) 1 or more components/units in a degraded state
   ├─ beat/metrics-monitoring
   │  ├─ status: (DEGRADED) DEGRADED
   │  └─ beat/metrics-monitoring
   │     └─ status: (DEGRADED) Elasticsearch request failed: tls: failed to verify certificate: x509: certificate signed by unknown authority
   ├─ filestream-monitoring
   │  ├─ status: (DEGRADED) DEGRADED
   │  └─ filestream-monitoring
   │     └─ status: (DEGRADED) Elasticsearch request failed: tls: failed to verify certificate: x509: certificate signed by unknown authority
   └─ http/metrics-monitoring
      ├─ status: (DEGRADED) DEGRADED
      └─ http/metrics-monitoring
         └─ status: (DEGRADED) Elasticsearch request failed: tls: failed to verify certificate: x509: certificate signed by unknown authority
root@archlinux /home/vagrant/elastic-agent-9.2.0-SNAPSHOT-linux-x86_64 %

8. Collect the diagnostics and look at otel-merged.yaml

You'll see the CA trusted fingerprint configuration (or any configuration to accept custom certificates) is missing:

exporters:
    elasticsearch/_agent-component/monitoring:
        api_key: <REDACTED>
        batcher:
            enabled: true
            max_size: 50
            min_size: 0
        compression: gzip
        compression_params:
            level: 1
        endpoints:
            - https://elasticsearch:9200
        idle_conn_timeout: 1m0s
        logs_dynamic_id:
            enabled: true
        mapping:
            mode: bodymap
        retry:
            enabled: true
            initial_interval: 1s
            max_interval: 1m0s
            max_retries: 3
        timeout: 1m30s
        tls:
            max_version: "1.3"
            min_version: "1.2"

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team:Elastic-Agent-Data-PlaneLabel for the Agent Data Plane teambugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions