As the topic says, we upgraded both our DEV and PROD clusters to ElasticStack 8.19.2 (DEV) or 8.19.0 (PROD) we notice that on all our Windows hosts that run agent version 8.19.x, the logging of SYSMON is no longer forwarded to the ElasticStack. Completely stopped. Previously we ran 8.18.2 when it still worked fine.
The agents that still run 8.18.2 do still log sysmon events.
We tried to downgrade the agent version to 8.18.2 but that is not supported, it’s fleet-managed.
Now what to do?
What is the exactly version? There was an issue in the winlog input on 8.19.0 that was fixed on 8.19.1 according to the release notes.
You can have your cluster on 8.19.0 and agents on 8.19.2 if you do not want to upgrade the entire cluster.
You can downgrade by uninstalling the agent and reinstalling it on a previous version.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.