A few weeks ago, the AD Entity Analytics integration stopped ingesting any data. This happened around the time we updated Elastic from 8.15.3 to 8.15.5. It seems that after updating Elastic, the incremental updates were working but the first full synchronisation failed, and since then we haven't got any data. We've tried disabling and re-enabling the integration but it keeps failing.
The Elastic Agent logs suggest that it does start the full synchronisation, but it fails after a couple of seconds and doesn't try again. Below is the error message we are seeing in the logs:
Input entity-analytics-entityanalytics_ad.user-a3165afb-dd71-4374-9cd2-5f830a59f5ba panic: input entity-analytics-entityanalytics_ad.user-a3165afb-dd71-4374-9cd2-5f830a59f5ba panic with: runtime error: invalid memory address or nil pointer dereference
goroutine 24777 [running]:
runtime/debug.Stack()
runtime/debug/stack.go:24 +0x5e
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore.(*input).Run.func1()
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore/input.go:62 +0x58
panic({0x557b385ede80?, 0x557b3dabafe0?})
runtime/panic.go:770 +0x132
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore.(*TxTracker).Add(...)
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore/tracker.go:27
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/activedirectory.(*adInput).publishMarker(0xc000000840, {0x557b36ba1390?, 0x11?, 0x557b3e276d60?}, {0xc1e62a351e28f3fa, 0xdb1a7c0c9a70, 0x557b3e276d60}, {0xc007faa050, 0x4d}, 0x1, ...)
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go:385 +0x1ea
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/activedirectory.(*adInput).runFullSync(_, {0xc008138d70, {0xc007faa050, 0x4d}, {0xc007faa050, 0x4d}, {{0x557b36b4ed69, 0x8}, {0x557b36b4ed69, 0x8}, ...}, ...}, ...)
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go:262 +0xa3b
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/activedirectory.(*adInput).Run(_, {0xc008138d70, {0xc007faa050, 0x4d}, {0xc007faa050, 0x4d}, {{0x557b36b4ed69, 0x8}, {0x557b36b4ed69, 0x8}, ...}, ...}, ...)
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/provider/activedirectory/activedirectory.go:145 +0x6d8
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore.(*input).Run(_, {0xc008138d70, {0xc007faa050, 0x4d}, {0xc007faa050, 0x4d}, {{0x557b36b4ed69, 0x8}, {0x557b36b4ed69, 0x8}, ...}, ...}, ...)
github.com/elastic/beats/v7/x-pack/filebeat/input/entityanalytics/internal/kvstore/input.go:86 +0x60c
github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start.func1()
github.com/elastic/beats/v7/filebeat/input/v2/compat/compat.go:136 +0x235
created by github.com/elastic/beats/v7/filebeat/input/v2/compat.(*runner).Start in goroutine 74
github.com/elastic/beats/v7/filebeat/input/v2/compat/compat.go:133 +0xbb
We are currently running Elastic version 8.17.0 with version 0.6.0 of the integration. This integration was really useful when it was working so any ideas of how to fix it would be appreciated.
,