diff --git a/docs/getting-started/agentless-troubleshooting.asciidoc b/docs/getting-started/agentless-troubleshooting.asciidoc new file mode 100644 index 0000000000..6629458449 --- /dev/null +++ b/docs/getting-started/agentless-troubleshooting.asciidoc @@ -0,0 +1,47 @@ +[[agentless-integration-troubleshooting]] += Agentless integrations FAQ + +Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration. + +[discrete] +== When I make a new integration, when will I see the agent appear on the Integration Policies page? + +After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete. + +[discrete] +== How do I troubleshoot an `Offline` agent? + +For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`. + +To troubleshoot this issue: + +. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab. +. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again. + +NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again. + +[discrete] +== How do I troubleshoot an `Unhealthy` agent? + +On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent: + +* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials: ++ +``` +[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX +``` + +For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. + +[discrete] +== How do I delete an agentless integration? + +NOTE: Deleting your integration will remove all associated resources and stop data ingestion. + +When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab. + +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`. +. Go to the CSPM Integration's **Integration policies** tab. +. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**. +. Confirm by clicking **Delete integration** again. + diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index 64daa518ae..68e7ab74c1 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -14,6 +14,7 @@ include::ingest-data.asciidoc[leveloffset=+1] include::threat-intel-integrations.asciidoc[leveloffset=+2] include::automatic-import.asciidoc[leveloffset=+2] include::agentless-integrations.asciidoc[leveloffset=+2] +include::agentless-troubleshooting.asciidoc[leveloffset=+3] include::security-spaces.asciidoc[leveloffset=+1]