Elastic Agent 7.13.1 keeps degrading endpoint security for macOS

The endpoint security for macOS keeps getting to the status 'DEGRADED'. I simply create a new policy, add endpoint security to the policy and enroll the fleet-agent with the provided command.

Full-Disk Access Permissions for elastic-agent and elastic-endpoint have been assigned.

Here are the relevant log files out of the fleet server.

23:14:02.329
elastic_agent
[elastic_agent][info] 2021-06-07T23:14:02+02:00 - message: Application: endpoint-security--7.13.1[d514a70b-1279-46e3-8d98-58cbc75d4abf]: State changed to CONFIG:  - type: 'STATE' - sub_type: 'CONFIG'
23:14:22.395
elastic_agent
[elastic_agent][info] 2021-06-07T23:14:22+02:00 - message: Application: endpoint-security--7.13.1[d514a70b-1279-46e3-8d98-58cbc75d4abf]: State changed to CONFIG: Protecting with policy {00000000-0000-0000-0000-000000000000} - type: 'STATE' - sub_type: 'CONFIG'
23:14:26.225
elastic_agent
[elastic_agent][warn] Elastic Agent status changed to: 'degraded'
23:14:26.225
elastic_agent
[elastic_agent][info] 2021-06-07T23:14:26+02:00 - message: Application: endpoint-security--7.13.1[d514a70b-1279-46e3-8d98-58cbc75d4abf]: State changed to DEGRADED: Protecting with policy {8f4e6e72-d37f-4a1a-81b2-9bf3131217cb} - type: 'STATE' - sub_type: 'RUNNING'

The last line keeps repeating over and over.

sudo  elastic-agent status
Status: DEGRADED
Message: (no message)
Applications:
  * endpoint-security	(DEGRADED)
    Protecting with policy {8f4e6e72-d37f-4a1a-81b2-9bf3131217cb}
  * filebeat	(HEALTHY)
    Running
  * metricbeat	(HEALTHY)
    Running

Anybody an idea how to get elastic-agent's endpoint-security on macOS 11.3.1 to Healthy?

  • System: macOS 11.3.1 (Chip Apple M1)
  • elastic and elastic-agent: 7.13.1

Hello fgierlinger,

I will be more than happy to help you.

First, let's make sure that System Extension for Elastic Endpoint is enabled. Can you go to Preference -> Security & Privacy . Do you see a message that says,

System software from application "ElasticEndpoint" was blocked from loading.

If so, let's enable that first.

If it is already enabled on your system, we will need additional information. Can you gather the Endpoint log from your system and share with me? The log is available under /Library/Elastic/Endpoint/state/log

If you wish, you can PM me directly.