Elastic Agent (Security Onion)

I installed Security Onion to enhance my knowledge. I followed the documentation for the setup but faced several issues.

  1. After setting it up, my main goal was to get Windows event logs into Security Onion. I installed the Elastic Agent as per the documentation, and at first, I could see it in the fleet agents as healthy. However, after a few minutes, it turned unhealthy and showed an error in the "Elastic Defend - Endpoint" integration saying: "Endpoint, Degraded, Applied policy {597140a3-d96e-40fa-bc7f-9e0fd0570139}, No policy response available, Elasticsearch connection failure." I found a suggestion to delete the "Elastic Defend - Endpoint" section, and after doing that, the agent now stays healthy. Was deleting that the correct action?

  2. Unfortunately, I still haven’t received any logs from the Windows machine where the agent is installed. What do you think could be causing this?

  3. After installing the Elastic Agent/Elastic-endpoint, do we need to modify the elastic-agent.yml and elastic-endpoint.yml files for log collection?

I’ve read the documentation and tried different ways, but I’ve been struggling with this for a week. If you have some time, I would appreciate your help.

Thanks in advance!

If you're enrolling in fleet the local configuration file is generally ignored.

My guess is if you looked at the elastic agent log file you'd see that it's failing to connect to Elasticsearch. If you login to kibana -> fleet -> settings there is a section for the Elasticsearch connection that you should double check the Elasticsearch host and port.

Once you have that fixed you'll likely see windows logs and you'll likely be able to use endpoint.

If you still have issues, the next step would be to share the log file from the running elastic agent. They are in the elastic agent\data folder under program files

Thank you for the response!

I checked Fleet, and the agent is connected and shows healthy status with the last check-in as "Running". However, I’m still not getting Windows logs. I attached the log file for more details.

Any specific suggestions on what to check next?

Last few Logs :-

{"log.level":"info","@timestamp":"2024-11-18T14:53:09.443Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":586},"message":"Spawned new component beat/metrics-monitoring: Starting: spawned pid '16824'","log":{"source":"elastic-agent"},"component":{"id":"beat/metrics-monitoring","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-18T14:53:09.443Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":593},"message":"Spawned new unit beat/metrics-monitoring-metrics-monitoring-beats: Starting: spawned pid '16824'","log":{"source":"elastic-agent"},"component":{"id":"beat/metrics-monitoring","state":"STARTING"},"unit":{"id":"beat/metrics-monitoring-metrics-monitoring-beats","type":"input","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-18T14:53:09.444Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":593},"message":"Spawned new unit beat/metrics-monitoring: Starting: spawned pid '16824'","log":{"source":"elastic-agent"},"component":{"id":"beat/metrics-monitoring","state":"STARTING"},"unit":{"id":"beat/metrics-monitoring","type":"output","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-18T14:53:09.692Z","log.origin":{"file.name":"cmd/run.go","file.line":360},"message":"reexec shutdown channel triggered","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-18T14:53:09.892Z","log.logger":"reexec","log.origin":{"file.name":"reexec/reexec_windows.go","file.line":36},"message":"Running as Windows service; triggering service restart","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}

Can you attach the full log? Perhaps upload to a github gist or something similar?

Google Drive Link To Access All Logs

I think the link may not have pasted correctly as that link is a hyperlink to my comment on your post

https://drive.google.com/drive/folders/1aOEaCCuMP5xvj0vBep4eqE0Ui4EzKMmM?usp=drive_link

{"log.level":"warn","@timestamp":"2024-11-18T14:53:35.621Z","log.logger":"transport","log.origin":{"file.name":"transport/tcp.go","file.line":53},"message":"DNS lookup failure \"securityonion\": lookup securityonion: no such host","ecs.version":"1.6.0"}

It looks like your Elasticsearch output is set to https://securityonion:9200 and that hostname is not resolvable from the node running Elastic Agent.

If you navigate to Kibana, under Fleet > Settings, you can find the Output settings and modify it to a hostname that is resolvable from the agent.

Do i need to modify as host ip or any other thing ? I cant understand it

You'll need to set it to something that's reachable from the Elastic Agent device. Ideally you'd have a fully qualified domain name for your security onion server that is resolvable from other hosts like securityonion.strawgate.com but in place of that you could switch it to use an IP address if your securityonion server has a static IP address.

The most important thing is that you set it to something you can reach/ping from the node running Elastic Agent

I tried using the eval mode installation type. Could you confirm if the eval mode doesn't support the Elastic Agent? Or is there any alternative method to get Windows logs into Security Onion in eval mode?

Hi, for specific questions about security onion I'd recommend reaching out on their forum or github