I want to enable in elastic agent the Windows integration (version 1.2.2) I want to use this integration to ship in Sysmon and powershell log. The agent is connected to a Fleet.
Adding the integration to the agent policy is not so difficult.
But recieving some log is more complicated. The agent is not sending any log, is this because it is not supported yet?
Or do I need to configure some extra settings on the agent. For instance I see that the filebeat YML is pointing as output to Elasticsearch: 127.0.0.1:9200....
To make it more clear, I have one policy with three integrations:
Endpoint security
Windows
System
From that policy it looks like only Endpoint security is working.
Now I made a separate policy with only the Windows integration active, tried to find out where it is going wrong. I see that there is nothing send to Elasticsearch so must by something local on my laptop.
This should point to the machine running your Elasticsearch Service in your filebeat settings, however your agents if Fleet-Managed should be set via the Fleet_Managed Agent configurations
It is not mapped to the filebeat yml and metricbeat yml.
If I do status check of the elatic-agent I get the following:
PS C:\Program Files\Elastic\Agent> .\elastic-agent status
Status: HEALTHY
Message: (no message)
Applications:
filebeat (CONFIGURING)
Updating configuration
metricbeat (CONFIGURING)
Updating configuration
metricbeat (CONFIGURING)
Updating configuration
filebeat (CONFIGURING)
Updating configuration
That is explaining something....its updating for a long time
I have been busy yesterday to solve the problem. I found out some problems on the fleetserver aswell, sending clear text to the Elasticsearch channel (because of the localhost config setting in the filebeat config) and in between API key invalidated messages.
Finally after some struggle I found the problem.
In the end the problem was that I added Username and Password authentication in the elastic output configuration in fleet settings. By that time I was not fully awear about the API keys. In the filebeat log It was visible that both configurations active at the same time are giving problems ( API keys and Username and password authentication).
In the end the Filebeat config pointing to the local host is still the same.
Aswell for the elasticagent installed as fleetserver on the Elasticsearch host. The API key invalidated messages were solved after a restart of the elastic-agent client. And about the cleartext messages that was solved after removing the username and password authentication.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.