Do not recieve sysmon log from the Windows Integration in elastic agent

RobinIT · November 3, 2021, 7:37pm

Hello,

I want to enable in elastic agent the Windows integration (version 1.2.2) I want to use this integration to ship in Sysmon and powershell log. The agent is connected to a Fleet.

Adding the integration to the agent policy is not so difficult.

But recieving some log is more complicated. The agent is not sending any log, is this because it is not supported yet?

Or do I need to configure some extra settings on the agent. For instance I see that the filebeat YML is pointing as output to Elasticsearch: 127.0.0.1:9200....

Some help in any direction would be appreciated!

Thanks,
Robin

RobinIT · November 4, 2021, 1:13pm

Somebody? Should it work elastic agent managed by fleet, shipping in powershell en sysmon log? version 7.15...

By the use of the WIndows Integration.

zx8086 · November 4, 2021, 1:16pm

Hi @RobinIT

Welcome to the community !

Is the Elastic-agent on the same machine where the Elasticsearch Service is running?

RobinIT · November 4, 2021, 1:29pm

No the elastic-agent is on my laptop installed and Elasticsearch is on a dedicated machine.

RobinIT · November 4, 2021, 1:34pm

To make it more clear, I have one policy with three integrations:

Endpoint security
Windows
System

From that policy it looks like only Endpoint security is working.

Now I made a separate policy with only the Windows integration active, tried to find out where it is going wrong. I see that there is nothing send to Elasticsearch so must by something local on my laptop.

zx8086 · November 4, 2021, 2:14pm

This should point to the machine running your Elasticsearch Service in your filebeat settings, however your agents if Fleet-Managed should be set via the Fleet_Managed Agent configurations

RobinIT · November 4, 2021, 2:23pm

Thank you! That is what I expected aswell, strange thing is that in the agent state yml the output is correct:

outputs:
default:
api_key: xxxx
hosts:
- https://192.168.1.120:9200
password: xxxx
type: Elasticsearch
username: elastic

It is not mapped to the filebeat yml and metricbeat yml.

If I do status check of the elatic-agent I get the following:
PS C:\Program Files\Elastic\Agent> .\elastic-agent status
Status: HEALTHY
Message: (no message)
Applications:

filebeat (CONFIGURING)
Updating configuration
metricbeat (CONFIGURING)
Updating configuration
metricbeat (CONFIGURING)
Updating configuration
filebeat (CONFIGURING)
Updating configuration

That is explaining something....its updating for a long time

RobinIT · November 8, 2021, 7:57am

I have been busy yesterday to solve the problem. I found out some problems on the fleetserver aswell, sending clear text to the Elasticsearch channel (because of the localhost config setting in the filebeat config) and in between API key invalidated messages.
Finally after some struggle I found the problem.

In the end the problem was that I added Username and Password authentication in the elastic output configuration in fleet settings. By that time I was not fully awear about the API keys. In the filebeat log It was visible that both configurations active at the same time are giving problems ( API keys and Username and password authentication).

In the end the Filebeat config pointing to the local host is still the same.
Aswell for the elasticagent installed as fleetserver on the Elasticsearch host. The API key invalidated messages were solved after a restart of the elastic-agent client. And about the cleartext messages that was solved after removing the username and password authentication.

Thank you @zx8086, for you're help!

i will close this ticket.

system · December 6, 2021, 7:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.