Elastic Agent not sending Data to Elastic search From KVM but works for VMWare

Elastic Stack Elastic Agent
1

Hello Team,

In further lab setup. I am facing a strange issue. I have two setups

  1. LAB
    Windows -> VMware (UBUNTU)
    Windows -> VMware (Windows)

Both guests are connected through host-only adapter.

  1. SANDBOX

Windows -> VMware (UBUNTU) -> KVM (WINDOWS)

This setup have nested VMs. Both guests VMs are connected through host-only adapter.

ELK and Fleet is installed on UBUNTU box. I have configured proxy to access internet from both guest windows. But ELK interface IP is excluded.

output and fleet is configured as hostname.


# This section was automatically generated during setup.
elasticsearch.hosts: ['https://securelab:9200']
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE2OTcwOTQ5NjAzODk6MEFKV1RnNWFUbGVkeXVJQVdoY2R2QQ
elasticsearch.ssl.certificateAuthorities: [/var/lib/kibana/ca_1697094960818.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://securelab:9200'],

The issue is, when I installed agent in LAB setup. It is working as expected and I am getting the logs.

However, when I install it in SANDBOX setup, the agent shows healthy. I can even collect diagnostic logs , update policies from console. But not getting any logs.

Any help is appreciated.

Screenshot and diagnostics logs are attached.

desktop-2o70m2l - SANDBOX

elk
elk1327×328 32.6 KB

Windows

Regards,
Ameer Mane

2

Hi @AnyThink_A

Perhaps take a look at this, you may have a similar issue

have tried to uninstall and re-install the agent.

It will take more information did you click on that agent and run the diagnostics?

Did you click on agent details?

Which logs are missing the system logs? or agent logs?

if you can give more details we might be able to help... it is not clear what the issue is.

3

Hi @stephenb ,

Thanks for prompt response. trusted ca fingerprint is already there.

image

On top of it, the LAB setup which is with exact same OS, proxy , ELK and elastic agent is working fine.

But for SANDBOX setup it is not. In diagnostic logs also I can see fingerprint, it picked the config randomly. It is from "beat-rendered-config.yml"

image
image946×173 4.19 KB

As for your questions:

have tried to uninstall and re-install the agent. - YES, I HAVE TRIED, BUT SAME ISSUE> IT SHOWS HEALTHY BUT NO LOGS.

It will take more information did you click on that agent and run the diagnostics?

Did you click on agent details? - YES

image
image597×552 33.8 KB

Which logs are missing the system logs? or agent logs?
EVERYTHING IS MISSING. WINDOWS SYSTEM, APP, SECURITY as well as agent logs.

if you can give more details we might be able to help... it is not clear what the issue is.

AS MENTIONED, I CAN UPDATE POLICY AND FETCH DIAGONISTCS LOGS FROM CONSOLE, WHICH MEANS AGENT CONNECTION IS OK. LET ME KNOW ANY SPECIFIC INFORMATION IS NEEDED.

I WOULD HAVE ATTACHED DIAGONSITC LOGS BUT IT IS NOT LETTING ME. I AM NOOB IN ANALYZING THESE LOGS.

Regards,
Ameer Mane

4

Hello ,

I found the solution. Somehow in KVM machine time was not set to correct time zone. even if everything was set correctly.

This caused agent to detect future time than the ELK and indexing was not getting written. I set time manually and it's working.

Didn't understand exact reasoning but it's working. If anyone knows let me know.

Regards,
Ameer Mane

5

@AnyThink_A Ohhh Great find!!! Nice!!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.