Hello. We are managing Elastic Agents in Fleet. Entire Elastic Stack is on version 8.3.3.
We have problems doing osqueries in Kibana- the query seems to be successful but we get no results and no indexes are created: "2 agents have responded, no osquery data has been reported".
In Fleet we have configured agent's output to logstash. In logs we see errors: "Failed to publish events caused by: write tcp x.x.x.x:51787 (agent) -> y.y.y.y:5046 (logstash): wsasend: An existing connection was forcibly closed by the remote host".
Is osquery supposed to work with logstash as output on agents? I can confirm that osquery is working when agent output is set to elasticsearch, but we need Logstash to work.
There was another issue where the data was not routed/saved properly into the elasticsearch datastream because the events where missing the datastream properties.
This was merged into 8.4 and should be a part of 8.4.0 release.
We got osquery working in our environment.
Upgraded the elasticsearch and logstash nodes to 8.4.0 but that did not resolve the problem.
Then upgraded osquerymanager integration from 1.3.1 to 1.4.1 - still nothing.
Then upgraded Fleet Server agent and all endpoint Elastic-agents to 8.4.0 and osqueries are now working. Thank you for your help!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.