Elastic Agent 7.13.1 keeps degrading endpoint security for macOS

fgierlinger · June 7, 2021, 9:23pm

The endpoint security for macOS keeps getting to the status 'DEGRADED'. I simply create a new policy, add endpoint security to the policy and enroll the fleet-agent with the provided command.

Full-Disk Access Permissions for elastic-agent and elastic-endpoint have been assigned.

Here are the relevant log files out of the fleet server.

23:14:02.329
elastic_agent
[elastic_agent][info] 2021-06-07T23:14:02+02:00 - message: Application: endpoint-security--7.13.1[d514a70b-1279-46e3-8d98-58cbc75d4abf]: State changed to CONFIG:  - type: 'STATE' - sub_type: 'CONFIG'
23:14:22.395
elastic_agent
[elastic_agent][info] 2021-06-07T23:14:22+02:00 - message: Application: endpoint-security--7.13.1[d514a70b-1279-46e3-8d98-58cbc75d4abf]: State changed to CONFIG: Protecting with policy {00000000-0000-0000-0000-000000000000} - type: 'STATE' - sub_type: 'CONFIG'
23:14:26.225
elastic_agent
[elastic_agent][warn] Elastic Agent status changed to: 'degraded'
23:14:26.225
elastic_agent
[elastic_agent][info] 2021-06-07T23:14:26+02:00 - message: Application: endpoint-security--7.13.1[d514a70b-1279-46e3-8d98-58cbc75d4abf]: State changed to DEGRADED: Protecting with policy {8f4e6e72-d37f-4a1a-81b2-9bf3131217cb} - type: 'STATE' - sub_type: 'RUNNING'

The last line keeps repeating over and over.

sudo  elastic-agent status
Status: DEGRADED
Message: (no message)
Applications:
  * endpoint-security	(DEGRADED)
    Protecting with policy {8f4e6e72-d37f-4a1a-81b2-9bf3131217cb}
  * filebeat	(HEALTHY)
    Running
  * metricbeat	(HEALTHY)
    Running

Anybody an idea how to get elastic-agent's endpoint-security on macOS 11.3.1 to Healthy?

System: macOS 11.3.1 (Chip Apple M1)
elastic and elastic-agent: 7.13.1

ckim · June 8, 2021, 10:25pm

Hello fgierlinger,

I will be more than happy to help you.

First, let's make sure that System Extension for Elastic Endpoint is enabled. Can you go to Preference -> Security & Privacy . Do you see a message that says,

System software from application "ElasticEndpoint" was blocked from loading.

If so, let's enable that first.

If it is already enabled on your system, we will need additional information. Can you gather the Endpoint log from your system and share with me? The log is available under /Library/Elastic/Endpoint/state/log

If you wish, you can PM me directly.

fgierlinger · June 14, 2021, 7:17pm

System software from application "ElasticEndpoint" was blocked from loading.

This message has appeared in the past, but I have given elastic endpoint the required permissions. I went into Security & Privacy > Full Disk Access and added the elastic-agent as well as the elastic-endpoint executable to the allowed exceptions.

Unfortunately something went really wrong with my super small non-redundant elastic deployment. It went red and I was not able to recover it. With the new deployment and 7.13.2 everything seems to be fine.

@ckim In case the error reproduces I will PM you directly.

system · July 12, 2021, 7:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.