Elastic-agent : endpoint-security.sock no such file or directory

Lnood5 · December 17, 2021, 10:41am

Hello,
I work with self-managed stack v7.16.1
I have a probleme with endpoint security deployment
elastic-agent diagnostics give for endpoint this error:

elastic-agent diagnostics 
  *  name: endpoint-security           route_key: default
     error: Get "http://unix/": dial unix /opt/Elastic/Agent/data/tmp/default/endpoint-security/endpoint-security.sock: connect: no such file or directory

When i look at the path, endpoint-security folder is missing.
I have been looking for quite a time now, and i don't know where the probleme comes from
I also have metricbeat and filebeat deployed with elastic-agent but they are wotking well
The status command shows everything is healthy

elastic-agent status 
Status: HEALTHY
Message: (no message)
Applications:
  * filebeat_monitoring    (HEALTHY)
                           Running
  * metricbeat_monitoring  (HEALTHY)
                           Running
  * endpoint-security      (HEALTHY)
                           Protecting with policy {42c1253e-7dc2-42be-9189-f6542bb8fcd9}
  * filebeat               (HEALTHY)
                           Running
  * metricbeat             (HEALTHY)
                           Running

elastic-agent diagnostics 
elastic-agent  version: 7.16.1
               build_commit: 7e56c4a053a2fe26c0cac168dd974780428a2aa6  build_time: 2021-12-11 05:09:58 +0000 UTC  snapshot_build: false
Applications:
  *  name: metricbeat_monitoring       route_key: default
     process: metricbeat               id: 36caf419-861a-4f30-88bd-db3fc7db840f          ephemeral_id: c2cdc157-f319-4d5c-b1ef-23ffe08ba4c1  elastic_license: true
     version: 7.16.1                   commit: 7e56c4a053a2fe26c0cac168dd974780428a2aa6  build_time: 2021-12-11 02:01:45 +0000 UTC           binary_arch: amd64
     hostname: socket-server-dev-joci  username: root                                    user_id: 0                                          user_gid: 0
  *  name: endpoint-security           route_key: default
     error: Get "http://unix/": dial unix /opt/Elastic/Agent/data/tmp/default/endpoint-security/endpoint-security.sock: connect: no such file or directory
  *  name: filebeat                    route_key: default
     process: filebeat                 id: f24b7fd7-9856-4a4c-8a19-6bddfee97b72          ephemeral_id: 741a6957-b853-49c4-8ff9-b757d25e61ab  elastic_license: true
     version: 7.16.1                   commit: 7e56c4a053a2fe26c0cac168dd974780428a2aa6  build_time: 2021-12-11 01:49:16 +0000 UTC           binary_arch: amd64
     hostname: socket-server-dev-joci  username: root                                    user_id: 0                                          user_gid: 0
  *  name: metricbeat                  route_key: default
     process: metricbeat               id: 36caf419-861a-4f30-88bd-db3fc7db840f          ephemeral_id: c2cdc157-f319-4d5c-b1ef-23ffe08ba4c1  elastic_license: true
     version: 7.16.1                   commit: 7e56c4a053a2fe26c0cac168dd974780428a2aa6  build_time: 2021-12-11 02:01:45 +0000 UTC           binary_arch: amd64
     hostname: socket-server-dev-joci  username: root                                    user_id: 0                                          user_gid: 0
  *  name: filebeat_monitoring         route_key: default
     process: filebeat                 id: f24b7fd7-9856-4a4c-8a19-6bddfee97b72          ephemeral_id: 741a6957-b853-49c4-8ff9-b757d25e61ab  elastic_license: true
     version: 7.16.1                   commit: 7e56c4a053a2fe26c0cac168dd974780428a2aa6  build_time: 2021-12-11 01:49:16 +0000 UTC           binary_arch: amd64
     hostname: socket-server-dev-joci  username: root                                    user_id: 0                                          user_gid: 0

I'm managing everything from Kibana

Elastic config output:

 api_key: "api_key"
  ssl:
    certificate_authorities: ["/etc/ssl/es/ca.crt"]
    certificate: "/etc/ssl/es/beats.crt"
    key: "/etc/ssl/es/beats.key"

Thanks in advance,

mtojek · December 20, 2021, 2:13pm

Hi,

is the problem persistent also after restart? did you try to reinstall the agent?

Lnood5 · December 22, 2021, 2:56pm

Hello, I reinstalled it many times but the problem is persistent.
I had two problems, first one, I didn’t correctly pass my certificates to my elastic-agents
I solved it by passing my certificates to the fleet settings, so now I have logs comming from filebeat and metribeat (I also use system integration).

The problem come from :

[elastic_agent.endpoint_security][error] Http.cpp:327 CURL error 60: SSL peer certificate or SSH remote key was not OK [SSL certificate problem: unable to get local issuer certificate]

I have this error on both Windows and Linux
Its still a certificate problem, I saw a thread with the same error.

But I give all my certificates through my fleet settings.

  api_key: ""
  hosts: ["https://myserver:9200"]
  protocol: https
  ssl.certificate_authorities: |
    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----
  ssl.certificate: |
    -----BEGIN CERTIFICATE-----

    -----END CERTIFICATE-----

  ssl.key: |
    -----BEGIN RSA PRIVATE KEY-----

    -----END RSA PRIVATE KEY-----

So I don't know why I still have this problem, I must have missed a parameter.
Thank you for your time

Lnood5 · December 22, 2021, 4:08pm

Endpoint security seems to not use fleet Elasticsearch output settings , so I had to add my Elasticsearch certificate as root ca.

elastic-agent sends events, but i still have the error message

elastic-agent diagnostics 
  *  name: endpoint-security           route_key: default
     error: Get "http://unix/": dial unix /opt/Elastic/Agent/data/tmp/default/endpoint-security/endpoint-security.sock: connect: no such file or directory

Thank you

system · January 19, 2022, 6:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.