I think we are also not getting any of the elastic endpoint logs. I posted what we are seeing this morning here: Security -> Administration Page not getting past Enrollment
Elastic Stack is on Windows (Server 2016) and so is the agent (Windows 10).
We are using self-signed certs and used the work around and then we started to see the data streams.
It does require admin rights to see the logs on the endpoint and I found some logs here:
C:\Program Files\Elastic\Endpoint\state\log\endpoint-000001.log
Here is a snip of the end of the logs which indicate an issue connecting to Elastic:
{"line":1392,"name":"HttpLib.cpp"}}},"message":"HttpLib.cpp:1392 Establishing GET connection to [https://192.168.5.25:9200/_cluster/health]","process":{"pid":5672,"thread":{"id":4008}}}
{"@timestamp":"2020-08-24T13:46:10.63687900Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"notice","origin":{"file":{"line":65,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:65 Elasticsearch connection is down","process":{"pid":5672,"thread":{"id":4008}}}
{"@timestamp":"2020-08-24T13:46:10.74635300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5158]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:10.81954600Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5158]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:10.81954600Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5158]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:10.81954600Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5156]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:10.82692600Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5158]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:10.82864800Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5156]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:10.82864800Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5156]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:10.82864800Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5156]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:11.1229300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5158]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:11.1229300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5158]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:11.1229300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [4689]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:11.1229300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5156]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:11.1229300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [4689]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:13.15113300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":461,"name":"ProcessCache.cpp"}}},"message":"ProcessCache.cpp:461 Failed to remove item with pid [1976] from retired cache","process":{"pid":5672,"thread":{"id":6656}}}
{"@timestamp":"2020-08-24T13:46:13.15113300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":461,"name":"ProcessCache.cpp"}}},"message":"ProcessCache.cpp:461 Failed to remove item with pid [9816] from retired cache","process":{"pid":5672,"thread":{"id":6656}}}
{"@timestamp":"2020-08-24T13:46:15.49389900Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1051,"name":"EventUpdater.cpp"}}},"message":"EventUpdater.cpp:1051 Unsupported Security Event type: [5156]","process":{"pid":5672,"thread":{"id":10212}}}
{"@timestamp":"2020-08-24T13:46:15.65066300Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1392,"name":"HttpLib.cpp"}}},"message":"HttpLib.cpp:1392 Establishing GET connection to [https://192.168.5.25:9200/_cluster/health]","process":{"pid":5672,"thread":{"id":4008}}}
{"@timestamp":"2020-08-24T13:46:15.68399000Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"notice","origin":{"file":{"line":65,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:65 Elasticsearch connection is down","process":{"pid":5672,"thread":{"id":4008}}}
{"@timestamp":"2020-08-24T13:46:15.22806100Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":661,"name":"File.cpp"}}},"message":"File.cpp:661 ioStatusBlock.Status=0, status=0x0","process":{"pid":5672,"thread":{"id":10380}}}
{"@timestamp":"2020-08-24T13:46:15.24800600Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":661,"name":"File.cpp"}}},"message":"File.cpp:661 ioStatusBlock.Status=0, status=0x0","process":{"pid":5672,"thread":{"id":10504}}}
{"@timestamp":"2020-08-24T13:46:15.26795200Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":661,"name":"File.cpp"}}},"message":"File.cpp:661 ioStatusBlock.Status=0, status=0x0","process":{"pid":5672,"thread":{"id":10508}}}
{"@timestamp":"2020-08-24T13:46:15.15960700Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":661,"name":"File.cpp"}}},"message":"File.cpp:661 ioStatusBlock.Status=0, status=0x0","process":{"pid":5672,"thread":{"id":4244}}}
It almost seems like the elastic-endpoint.exe agent is trying to ship logs directly to ElasticSearch? Is that how the Filebeat and Metricbeat work as well? If so, then maybe the Elastic Endpoint binary is not taking the self-signed certificate into consideration. We do see the bad cert in the ElasticSearch logs:
[2020-08-24T08:57:39,849][WARN ][o.e.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/192.168.5.25:9200, remoteAddress=192.168.5.71:55441}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Insufficient buffer remaining for AEAD cipher fragment (2). Needs to be more than tag size (16)
...trimmed