Upgrade standalone Elastic Agents

To upgrade a standalone agent running on an edge node:

Make sure the elastic-agent service is running.
From the directory where Elastic Agent is installed, run the upgrade command to upgrade to a new version. Not sure where the agent is installed? Refer to Installation layout.

For example, to upgrade the agent from version 9.1.0 to 9.1.1, you would run:
macOS
sudo elastic-agent upgrade 9.1.1
Linux
sudo elastic-agent upgrade 9.1.1
Windows
As an Administrator, run:
.\elastic-agent.exe upgrade 9.1.1
DEB
sudo elastic-agent upgrade 9.1.1
RPM
sudo elastic-agent upgrade 9.1.1

This command upgrades the binary. Your agent policy should continue to work, but you might need to upgrade it to use new features and capabilities.

For more command-line options, see the help for the upgrade command.

Upgrading standalone Elastic Agent in an air-gapped environment

The basic upgrade scenario should work for most use cases. However, in an air-gapped environment Elastic Agent is not able to access the Elastic Artifact Registry at artifacts.elastic.co directly.

As an alterative, you can do one of the following:

Configure a proxy server for standalone Elastic Agent to access the Elastic Artifact Registry.
Host your own artifact registry for standalone Elastic Agent to access binary downloads.

As well, starting from version 8.9.0, during the upgrade process Elastic Agent needs to download a PGP/GPG key. Refer to Configure Elastic Agents to download a PGP/GPG key from Fleet Server for the steps to configure the key download location in an air-gapped environment.

Refer to Air-gapped environments for more details.

Verifying Elastic Agent package signatures

Standalone Elastic Agent verifies each package that it downloads using publicly available SHA hash and .asc PGP signature files. The SHA file is used to verify that the package has not been modified, and the .asc file is used to verify that the package was released by Elastic. For this purpose, the Elastic public GPG key is embedded in Elastic Agent itself.

At times, the Elastic private GPG key may need to be rotated, either due to the key expiry or due to the private key having been exposed. In this case, standalone Elastic Agent upgrades can fail because the embedded public key no longer works.

In the event of a private GPG key rotation, you can use the following options with the upgrade command to either skip the verification process (not recommended) or force Elastic Agent to use a new public key for verification:

--skip-verify

Skip the package verification process. This option is not recommended as it is insecure.

Example:

./elastic-agent upgrade 9.1.0 --skip-verify

--pgp-path <string>

Use a locally stored copy of the PGP key to verify the upgrade package.

Example:

		./elastic-agent upgrade 9.1.0 --pgp-path /home/elastic-agent/GPG-KEY-elasticsearch
		
	

--pgp-uri <string>

Use the specified online PGP key to verify the upgrade package.

Example:

		./elastic-agent upgrade 8.7.0-SNAPSHOT --pgp-uri "https://artifacts.elastic.co/GPG-KEY-elasticsearch"
		
	

Under the basic upgrade scenario standalone Elastic Agent will automatically fetch the most current public key, however in an air-gapped environment or in the event that the Elastic Artifact Registry is otherwise inaccessible, these commands can be used instead.

Roll back an Elastic Agent upgrade for standalone agents

We have you covered in the unusual case that you need to rollback an upgrade for a standalone agent.

Earlier Elastic Agent versions could detect issues and automatically roll back to the previous installed version within ten minutes of an upgrade if needed. This feature is still available and on by default.

Elastic subscription

The manual rollback feature for Elastic Agent is available only for some Elastic subscription levels.

Manual rollback. The manual rollback feature expands the time window for rollbacks, giving you the ability to roll back to the previous version within seven days.

To roll back a recent upgrade to the previously installed version (if it is still available on disk):

macOS

sudo elastic-agent upgrade --rollback

Linux

sudo elastic-agent upgrade --rollback

Windows

As an Administrator, run:

.\elastic-agent.exe upgrade --rollback

DEB

The manual rollback feature is not available for system-managed packages such as DEB and RPM.

RPM

The manual rollback feature is not available for system-managed packages such as DEB and RPM.

Limitations for manual rollback (standalone agents)

These limitations apply for the manual rollback feature:

Rollback is limited to the version running before the upgrade. Both the previously and currently running versions must be 9.3.0 or later for this functionality to be available.
Data required for the rollback is stored on disk for seven days, which can impact available disk space.
Rollback must be performed within seven days of the upgrade. Rollback data is automatically cleaned up after seven days and becomes unavailable.
Manual rollback is not available for system-managed packages such as DEB and RPM.
Some data might be re-ingested after rollback.

Possible errors

If no version is available on disk to rollback to, you get an error. This situation can happen if:

the version you upgraded from is earlier than 9.3.0, as the feature was not implemented in earlier versions.
the rollback window has ended (typically more than seven days). When the rollback window ends, the files from the previous version are removed to free up disk space.