Elastic agent goes Unhealthy after deploy Endpoint integration

Elastic Security Endpoint Security
1

Hi there,
I have several Elastic agents with different policies and some integrations.
I want to do a PoC with the endpoint but when I deploy the endpoint integration in the policy and it deploys to the elastic agents, those become unhealthy. Here the logs:

14:23:13.946
elastic_agent
[elastic_agent][info] Elastic Agent status changed to: 'online'
14:23:13.946
elastic_agent
[elastic_agent][info] 2021-09-19T14:23:13+02:00 - message: Application: endpoint-security--7.14.1[18c916e7-b4e0-4415-a98c-33fe0634d1ed]: State changed to CONFIG: Protecting with policy {3334f657-7996-4a6b-b554-adf6c612c703} - type: 'STATE' - sub_type: 'CONFIG'
14:23:14.815
elastic_agent
[elastic_agent][info] New State ID is Izq4u_KB
14:23:14.815
elastic_agent
[elastic_agent][info] Converging state requires execution of 4 step(s)
14:23:16.592
elastic_agent
[elastic_agent][info] operation 'operation-install' skipped for endpoint-security.7.14.1
14:23:16.592
elastic_agent
[elastic_agent][info] operation 'operation-start' skipped for endpoint-security.7.14.1
14:23:16.763
elastic_agent
[elastic_agent][info] operation 'operation-install' skipped for filebeat.7.14.1
14:23:16.763
elastic_agent
[elastic_agent][info] operation 'operation-start' skipped for filebeat.7.14.1
14:23:16.993
elastic_agent
[elastic_agent][info] operation 'operation-install' skipped for metricbeat.7.14.1
14:23:16.993
elastic_agent
[elastic_agent][info] operation 'operation-start' skipped for metricbeat.7.14.1
14:23:17.170
elastic_agent
[elastic_agent][info] operation 'operation-install' skipped for filebeat.7.14.1
14:23:17.170
elastic_agent
[elastic_agent][info] operation 'operation-start' skipped for filebeat.7.14.1
14:23:17.393
elastic_agent
[elastic_agent][info] operation 'operation-install' skipped for metricbeat.7.14.1
14:23:17.393
elastic_agent
[elastic_agent][info] operation 'operation-start' skipped for metricbeat.7.14.1
14:23:17.401
elastic_agent
[elastic_agent][info] Updating internal state
14:23:32.531
elastic_agent
[elastic_agent][warn] Elastic Agent status changed to: 'degraded'
14:23:32.531
elastic_agent
[elastic_agent][info] 2021-09-19T14:23:32+02:00 - message: Application: endpoint-security--7.14.1[18c916e7-b4e0-4415-a98c-33fe0634d1ed]: State changed to **DEGRADED**: Protecting with policy {3334f657-7996-4a6b-b554-adf6c612c703} - type: 'STATE' - sub_type: 'RUNNING'
14:26:32.007
elastic_agent
[elastic_agent][info] New State ID is EIQ5wcH3

After that, I see the elastic-endpoint deployed and runnig, but I doesn't see the endpoint in kibana.
Also I tried to trigger some actions (eicar, mimikatz execution), but nothing happens.
What can I review/do? Is there something wrong?

2

Hi @SiRVaNdO thanks for checking out Endpoint Security!

As a first step to diagnosing what's going wrong, can you go to the Endpoints page in the Security App within Kibana. There you will see a list of all deployed Endpoints. Each Endpoint in that list has its policy status indicated. If you click on the failure string next to the red dot a fly out will pop up on the right hand side of the screen. That fly out will show you exactly what is failing. If you expand things within that flyout that have a red indicator on the right hand side you'll get to messages that describe why things failed. Could you do that and share which parts of policy are failing and what their messages are?

Hopefully with that data we can figure out what's going wrong. If not, I can help you dive deeper into other ways to diagnose this failure.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.