Elastic-Agent installed, but not viewable in Security Hosts tab or logs in Kibana

Elastic Security Endpoint Security
,
1

Hi all -

So I've recently got the Elastic Stack setup and running. Decided to go install the Fleet Server, and then install a handful of Elastic-Agents on Windows Server(s) to gather some logs and metrics. From the looks of it, everything is configured properly, yet there are zero logs (aside from the Fleet-server's logs) in Kibana or Security. See below for logs of one of the Elastic-Agents running on Windows Server 2016 (this is from service start to "running configuration"):

{"log.level":"info","@timestamp":"2022-03-01T13:46:21.450Z","log.origin":{"file.name":"application/application.go","file.line":67},"message":"Detecting execution mode","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:21.455Z","log.origin":{"file.name":"application/application.go","file.line":92},"message":"Agent is managed by Fleet","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:21.456Z","log.origin":{"file.name":"capabilities/capabilities.go","file.line":59},"message":"capabilities file not found in C:\\Program Files\\Elastic\\Agent\\capabilities.yml","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-03-01T13:46:21.456Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":105},"message":"SSL/TLS verifications disabled.","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:22.187Z","log.logger":"composable.providers.docker","log.origin":{"file.name":"docker/docker.go","file.line":43},"message":"Docker provider skipped, unable to connect: protocol not available","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:22.192Z","log.origin":{"file.name":"store/state_store.go","file.line":327},"message":"restoring current policy from disk","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:22.229Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is Ijgzcq6_","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:22.229Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 4 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:22.541Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:23.428Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:23-05:00 - message: Application: metricbeat--8.0.0[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:25.122Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for endpoint-security.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:25.126Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:25-05:00 - message: Application: endpoint-security--8.0.0[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:25.632Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:25.986Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:25-05:00 - message: Application: filebeat--8.0.0[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:26.323Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:26.687Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:26-05:00 - message: Application: filebeat--8.0.0--36643631373035623733363936343635[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.030Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.327Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:27-05:00 - message: Application: metricbeat--8.0.0--36643631373035623733363936343635[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.356Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.439Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is 002rnIFL","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.439Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 3 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.753Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.754Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.810Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":62},"message":"Starting stats endpoint","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.810Z","log.origin":{"file.name":"application/managed_mode.go","file.line":290},"message":"Agent is starting","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:27.810Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":64},"message":"Metrics endpoint listening on: \\\\.\\pipe\\elastic-agent (configured: npipe:///elastic-agent)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:28.078Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:28.078Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:28.341Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:28.341Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:28.639Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:28.639Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:28.646Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:29.428Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:29-05:00 - message: Application: metricbeat--8.0.0[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to CONFIG: Updating configuration - type: 'STATE' - sub_type: 'CONFIG'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:29.940Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:29-05:00 - message: Application: metricbeat--8.0.0[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:32.012Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:32-05:00 - message: Application: filebeat--8.0.0[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:32.453Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:32-05:00 - message: Application: filebeat--8.0.0--36643631373035623733363936343635[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:33.537Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:33-05:00 - message: Application: metricbeat--8.0.0--36643631373035623733363936343635[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T13:46:47.240Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-01T08:46:47-05:00 - message: Application: endpoint-security--8.0.0[4d4185fb-ccde-4fea-9194-4b49a48958bb]: State changed to RUNNING: Protecting with policy {c35149eb-e6ff-49de-b216-c72007dd6887} - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}

Any help would be greatly appreciated!

1 Like
2

@nodes

Thanks for trying Fleet and Endpoint Security, I'm sorry it's not working right now.

Do you have Agents showing up in the Agents tab in Fleet? I would look something like this.

image
image2880×1574 387 KB

If so, can you verify that Endpoint is installed correctly? Based on your Agent logs, I believe that it is, but can you verify to be sure? One easy way is to go to one of your host servers where the Agent is installed and look for the existence of this directory.

Windows:
c:\Program Files\Elastic\Endpoint

If that exists, can you check the Endpoint logs? You can get them like this:
As administrator copy the contents of C:\Program Files\Elastic\Endpoint\state\log to another directory outside of Elastic and open the log file there. (This is required because of Endpoint self protection.).

The Endpoint logs will have information about the documents that it streams to Elasticsearch. You should see logs similar to the below:

{"@timestamp":"2021-11-09T11:22:15.169061Z","agent":{"id":"43b96062-707e-4747-be6f-d8a759acb15c","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":227,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:227 Sent 48 documents to Elasticsearch","process":{"pid":3547,"thread":{"id":1493030}}}

Let me know if you see that or if you see anything other errors. I'm also happy to take a look at your logs myself if you are OK with sharing them.

Hope this helps

3

So, it seems that the Endpoint is trying to reporting to 127.0.01 but the ES host is on a different IP. I had tried changing the output in elastic-endpoint.yaml but after restarting the agent is reverted back to 127.0.0.1.

{"@timestamp":"2022-03-04T13:10:54.7817847Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":564,"name":"Canaries.cpp"}}},"message":"Canaries.cpp:564 path: C:\\Windows\\..\\zzAntiRansomElastic-DO-NOT-TOUCH-def6d40c-a6a1-442c-adc4-9d57a47e58d7\\AntiRansomElastic-DO-NOT-TOUCH-def8452b-fc17-414d-afb6-ddeceb5ec54c.xlsm","process":{"pid":7952,"thread":{"id":5960}}}
{"@timestamp":"2022-03-04T13:10:54.7817847Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":564,"name":"Canaries.cpp"}}},"message":"Canaries.cpp:564 path: C:\\Windows\\..\\zzAntiRansomElastic-DO-NOT-TOUCH-def6d40c-a6a1-442c-adc4-9d57a47e58d7\\AntiRansomElastic-DO-NOT-TOUCH-def8452b-fc17-414d-afb6-ddeceb5ec54c.ppt","process":{"pid":7952,"thread":{"id":5960}}}
{"@timestamp":"2022-03-04T13:10:54.7817847Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":564,"name":"Canaries.cpp"}}},"message":"Canaries.cpp:564 path: C:\\Windows\\..\\zzAntiRansomElastic-DO-NOT-TOUCH-def6d40c-a6a1-442c-adc4-9d57a47e58d7\\AntiRansomElastic-DO-NOT-TOUCH-def8452b-fc17-414d-afb6-ddeceb5ec54c.pptx","process":{"pid":7952,"thread":{"id":5960}}}
{"@timestamp":"2022-03-04T13:10:54.7817847Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":564,"name":"Canaries.cpp"}}},"message":"Canaries.cpp:564 path: C:\\Windows\\..\\zzAntiRansomElastic-DO-NOT-TOUCH-def6d40c-a6a1-442c-adc4-9d57a47e58d7\\AntiRansomElastic-DO-NOT-TOUCH-def8452b-fc17-414d-afb6-ddeceb5ec54c.pptm","process":{"pid":7952,"thread":{"id":5960}}}
{"@timestamp":"2022-03-04T13:10:55.2178133Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":327,"name":"Http.cpp"}}},"message":"Http.cpp:327 CURL error 7: Error [Failed to connect to 127.0.0.1 port 9200 after 1000 ms: No connection could be made because the target machine actively refused it.]","process":{"pid":7952,"thread":{"id":4776}}}
{"@timestamp":"2022-03-04T13:10:55.2178133Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"notice","origin":{"file":{"line":100,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:100 Elasticsearch connection is down","process":{"pid":7952,"thread":{"id":4776}}}
{"@timestamp":"2022-03-04T13:10:55.4066267Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":296,"name":"FileScore.cpp"}}},"message":"FileScore.cpp:296 File write: [C:\\ProgramData\\Trend Micro\\AMSP\\data\\10012\\BackupDB.s3db-journal] from PID [1276]","process":{"pid":7952,"thread":{"id":4620}}}
{"@timestamp":"2022-03-04T13:10:55.4222527Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":296,"name":"FileScore.cpp"}}},"message":"FileScore.cpp:296 File write: [C:\\ProgramData\\Trend Micro\\AMSP\\data\\10012\\BackupDB.s3db-journal] from PID [1276]","process":{"pid":7952,"thread":{"id":7280}}}
{"@timestamp":"2022-03-04T13:10:55.5179743Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":135,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:135 Agent check-in returned status Success","process":{"pid":7952,"thread":{"id":8696}}}
{"@timestamp":"2022-03-04T13:10:55.5209771Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":1065,"name":"AgentComms.cpp"}}},"message":"AgentComms.cpp:1065 Channel connectivity state: 2","process":{"pid":7952,"thread":{"id":7188}}}
{"@timestamp":"2022-03-04T13:10:56.5215036Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":1065,"name":"AgentComms.cpp"}}},"message":"AgentComms.cpp:1065 Channel connectivity state: 2","process":{"pid":7952,"thread":{"id":7188}}}
{"@timestamp":"2022-03-04T13:10:57.5223829Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":1065,"name":"AgentComms.cpp"}}},"message":"AgentComms.cpp:1065 Channel connectivity state: 2","process":{"pid":7952,"thread":{"id":7188}}}
{"@timestamp":"2022-03-04T13:10:58.5230738Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":1065,"name":"AgentComms.cpp"}}},"message":"AgentComms.cpp:1065 Channel connectivity state: 2","process":{"pid":7952,"thread":{"id":7188}}}
{"@timestamp":"2022-03-04T13:10:59.5102355Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":296,"name":"FileScore.cpp"}}},"message":"FileScore.cpp:296 File write: [C:\\Program Files (x86)\\ossec-agent\\ossec-agent.state] from PID [2280]","process":{"pid":7952,"thread":{"id":1876}}}
{"@timestamp":"2022-03-04T13:10:59.5232265Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":1065,"name":"AgentComms.cpp"}}},"message":"AgentComms.cpp:1065 Channel connectivity state: 2","process":{"pid":7952,"thread":{"id":7188}}}
{"@timestamp":"2022-03-04T13:10:59.5232265Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":296,"name":"FileScore.cpp"}}},"message":"FileScore.cpp:296 File write: [C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus\\VS2HF000.G00] from PID [1276]","process":{"pid":7952,"thread":{"id":4752}}}
{"@timestamp":"2022-03-04T13:10:59.5282208Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":296,"name":"FileScore.cpp"}}},"message":"FileScore.cpp:296 File write: [C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus\\VS2HF000.G00] from PID [1276]","process":{"pid":7952,"thread":{"id":4620}}}
{"@timestamp":"2022-03-04T13:10:59.7229872Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":883,"name":"MemoryScan.cpp"}}},"message":"MemoryScan.cpp:883 Failed to open handle to process [8152], skipping memory scan","process":{"pid":7952,"thread":{"id":7072}}}
{"@timestamp":"2022-03-04T13:11:00.2290012Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":684,"name":"HttpLib.cpp"}}},"message":"HttpLib.cpp:684 Making HTTP request without a proxy","process":{"pid":7952,"thread":{"id":4776}}}
{"@timestamp":"2022-03-04T13:11:00.2290012Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":871,"name":"HttpLib.cpp"}}},"message":"HttpLib.cpp:871 Adding 28 CA certificates","process":{"pid":7952,"thread":{"id":4776}}}
{"@timestamp":"2022-03-04T13:11:00.2290012Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":910,"name":"HttpLib.cpp"}}},"message":"HttpLib.cpp:910 Removing SNI from no connection? https://127.0.0.1:9200/_cluster/health","process":{"pid":7952,"thread":{"id":4776}}}
{"@timestamp":"2022-03-04T13:11:00.2290012Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":1045,"name":"HttpLib.cpp"}}},"message":"HttpLib.cpp:1045 Establishing GET connection to [https://127.0.0.1:9200/_cluster/health]","process":{"pid":7952,"thread":{"id":4776}}}
{"@timestamp":"2022-03-04T13:11:00.5235656Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":1065,"name":"AgentComms.cpp"}}},"message":"AgentComms.cpp:1065 Channel connectivity state: 2","process":{"pid":7952,"thread":{"id":7188}}}
{"@timestamp":"2022-03-04T13:11:00.7427495Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":296,"name":"FileScore.cpp"}}},"message":"FileScore.cpp:296 File write: [C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive1.dat] from PID [816]","process":{"pid":7952,"thread":{"id":7280}}}
{"@timestamp":"2022-03-04T13:11:00.7607522Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":296,"name":"FileScore.cpp"}}},"message":"FileScore.cpp:296 File write: [C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus\\VS2JV000.G00] from PID [1276]","process":{"pid":7952,"thread":{"id":1876}}}
{"@timestamp":"2022-03-04T13:11:00.7647511Z","agent":{"id":"4d4185fb-ccde-4fea-9194-4b49a48958bb","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"debug","origin":{"file":{"line":296,"name":"FileScore.cpp"}}},"message":"FileScore.cpp:296 File write: [C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus\\VS2JV000.G00] from PID [1276]","process":{"pid":7952,"thread":{"id":4752}}}

Any thoughts?

4

Can you check the settings you have in the Fleet UI? You can specify Elasticsearch outputs there.

Go to "Fleet > Settings" . Does your desired ES output appear under "Outputs" ?

It looks something like this

image
image2880×1580 319 KB

If you do not see your expected output there, can you try adding it? Your Agent policies should pick it up automatically, but you may want to try redeploying if you don't see data coming through after 10 min or so.

The Agent configuration will overwrite the settings in elastic-endpoint.yaml, so it's important that it's set appropriately at the top level. There's more info in the docs here: Centrally manage Elastic Agents in Fleet | Fleet and Elastic Agent Guide [8.0] | Elastic

Let me know if this helps

5

It does show the output, but when I try to change anything it shows this:

image
image1638×879 87.5 KB

6

This is blocked because the output was configured by the "Security on by default" features in Stack 8.0. You can edit the configuration that was automatically generated in your config/kibana.yml file.

@mostlyjason Wonder if we should have a better flow for this since users are almost always going to want to change the hostname to a public (non-localhost) one.

7

I had tried doing that by setting the Elasticsearch.hosts to the static IP of the machine. After restarting kibana, it would just failed/refuse to connect

8

You'd need to change the hosts parameter inside the xpack.fleet.outputs array to update this Fleet setting, not the elasticsearch.hosts parameter (which is used for the connection between Kibana and ES)

9

Hey guys - Still having the same issue. Here are the logs from the internal endpoint using Elastic-Agent to try to connect to the Fleet-server. See below:

{"log.level":"info","@timestamp":"2022-03-07T17:21:54.501Z","log.origin":{"file.name":"application/application.go","file.line":67},"message":"Detecting execution mode","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:54.504Z","log.origin":{"file.name":"application/application.go","file.line":92},"message":"Agent is managed by Fleet","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:54.504Z","log.origin":{"file.name":"capabilities/capabilities.go","file.line":59},"message":"capabilities file not found in C:\\Program Files\\Elastic\\Agent\\capabilities.yml","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-03-07T17:21:54.505Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":105},"message":"SSL/TLS verifications disabled.","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:54.943Z","log.logger":"composable.providers.docker","log.origin":{"file.name":"docker/docker.go","file.line":43},"message":"Docker provider skipped, unable to connect: protocol not available","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:54.951Z","log.origin":{"file.name":"store/state_store.go","file.line":327},"message":"restoring current policy from disk","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:54.993Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is 6JqFOh_r","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:54.993Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 4 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:56.693Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for endpoint-security.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:56.698Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:21:56-05:00 - message: Application: endpoint-security--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:57.084Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:57.411Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:21:57-05:00 - message: Application: filebeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:57.616Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:57.876Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:21:57-05:00 - message: Application: metricbeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.078Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.276Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:21:58-05:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.474Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.680Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:21:58-05:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.716Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.732Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is wIUCa6UE","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.732Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 3 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.894Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.894Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.987Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":62},"message":"Starting stats endpoint","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.987Z","log.origin":{"file.name":"application/managed_mode.go","file.line":290},"message":"Agent is starting","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:58.987Z","log.logger":"api","log.origin":{"file.name":"api/server.go","file.line":64},"message":"Metrics endpoint listening on: \\\\.\\pipe\\elastic-agent (configured: npipe:///elastic-agent)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:59.098Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:59.098Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:59.264Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:59.264Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:59.493Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:59.493Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:21:59.503Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:02.036Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:02-05:00 - message: Application: filebeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:02.882Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:02-05:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:03.281Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:03-05:00 - message: Application: metricbeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:04.168Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:04-05:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:18.492Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:18-05:00 - message: Application: endpoint-security--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Protecting with policy {9c5aa783-9394-4a97-b276-b3cbc1e571c8} - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:23.551Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":48},"message":"New State ID is FbF1F7jf","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:23.551Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":49},"message":"Converging state requires execution of 4 step(s)","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:24.950Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for endpoint-security.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:24.950Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for endpoint-security.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:25.127Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:25.127Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:25.129Z","log.origin":{"file.name":"process/configure.go","file.line":50},"message":"initiating restart of 'filebeat' due to config change","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:26.652Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:26-05:00 - message: Application: filebeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STOPPED: Stopped - type: 'STATE' - sub_type: 'STOPPED'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:26.803Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:26-05:00 - message: Application: filebeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:26.990Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:26.990Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:26.996Z","log.origin":{"file.name":"process/configure.go","file.line":50},"message":"initiating restart of 'metricbeat' due to config change","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:27.521Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:27-05:00 - message: Application: metricbeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STOPPED: Stopped - type: 'STATE' - sub_type: 'STOPPED'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:27.653Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:27-05:00 - message: Application: metricbeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:27.839Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:27.839Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for filebeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:27.841Z","log.origin":{"file.name":"process/configure.go","file.line":50},"message":"initiating restart of 'filebeat_monitoring' due to config change","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:28.370Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:28-05:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STOPPED: Stopped - type: 'STATE' - sub_type: 'STOPPED'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:28.736Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:28-05:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:28.963Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-install' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:28.963Z","log.origin":{"file.name":"operation/operator.go","file.line":284},"message":"operation 'operation-start' skipped for metricbeat.8.0.1","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:28.968Z","log.origin":{"file.name":"process/configure.go","file.line":50},"message":"initiating restart of 'metricbeat_monitoring' due to config change","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:30.486Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:30-05:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STOPPED: Stopped - type: 'STATE' - sub_type: 'STOPPED'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:30.683Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:30-05:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:30.699Z","log.origin":{"file.name":"stateresolver/stateresolver.go","file.line":66},"message":"Updating internal state","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:31.419Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:31-05:00 - message: Application: filebeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:33.329Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:33-05:00 - message: Application: metricbeat--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:33.481Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:33-05:00 - message: Application: filebeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:36.152Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:36-05:00 - message: Application: metricbeat--8.0.1--36643631373035623733363936343635[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:38.498Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:38-05:00 - message: Application: endpoint-security--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to CONFIG: Protecting with policy {9c5aa783-9394-4a97-b276-b3cbc1e571c8} - type: 'STATE' - sub_type: 'CONFIG'","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-07T17:22:39.187Z","log.origin":{"file.name":"log/reporter.go","file.line":40},"message":"2022-03-07T12:22:39-05:00 - message: Application: endpoint-security--8.0.1[78c804a1-48a8-47cc-9dfc-a8772e331361]: State changed to RUNNING: Protecting with policy {9c5aa783-9394-4a97-b276-b3cbc1e571c8} - type: 'STATE' - sub_type: 'RUNNING'","ecs.version":"1.6.0"}

Any help is greatly appreciated.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.