Elastic Agent (Security Onion)

chamara_sandun · November 15, 2024, 2:40pm

I installed Security Onion to enhance my knowledge. I followed the documentation for the setup but faced several issues.

After setting it up, my main goal was to get Windows event logs into Security Onion. I installed the Elastic Agent as per the documentation, and at first, I could see it in the fleet agents as healthy. However, after a few minutes, it turned unhealthy and showed an error in the "Elastic Defend - Endpoint" integration saying: "Endpoint, Degraded, Applied policy {597140a3-d96e-40fa-bc7f-9e0fd0570139}, No policy response available, Elasticsearch connection failure." I found a suggestion to delete the "Elastic Defend - Endpoint" section, and after doing that, the agent now stays healthy. Was deleting that the correct action?
Unfortunately, I still haven’t received any logs from the Windows machine where the agent is installed. What do you think could be causing this?
After installing the Elastic Agent/Elastic-endpoint, do we need to modify the elastic-agent.yml and elastic-endpoint.yml files for log collection?

I’ve read the documentation and tried different ways, but I’ve been struggling with this for a week. If you have some time, I would appreciate your help.

Thanks in advance!

strawgate · November 16, 2024, 5:44am

If you're enrolling in fleet the local configuration file is generally ignored.

My guess is if you looked at the elastic agent log file you'd see that it's failing to connect to Elasticsearch. If you login to kibana -> fleet -> settings there is a section for the Elasticsearch connection that you should double check the Elasticsearch host and port.

Once you have that fixed you'll likely see windows logs and you'll likely be able to use endpoint.

If you still have issues, the next step would be to share the log file from the running elastic agent. They are in the elastic agent\data folder under program files

chamara_sandun · November 18, 2024, 3:06pm

Thank you for the response!

I checked Fleet, and the agent is connected and shows healthy status with the last check-in as "Running". However, I’m still not getting Windows logs. I attached the log file for more details.

Any specific suggestions on what to check next?

Last few Logs :-

{"log.level":"info","@timestamp":"2024-11-18T14:53:09.443Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":586},"message":"Spawned new component beat/metrics-monitoring: Starting: spawned pid '16824'","log":{"source":"elastic-agent"},"component":{"id":"beat/metrics-monitoring","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-18T14:53:09.443Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":593},"message":"Spawned new unit beat/metrics-monitoring-metrics-monitoring-beats: Starting: spawned pid '16824'","log":{"source":"elastic-agent"},"component":{"id":"beat/metrics-monitoring","state":"STARTING"},"unit":{"id":"beat/metrics-monitoring-metrics-monitoring-beats","type":"input","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-18T14:53:09.444Z","log.origin":{"file.name":"coordinator/coordinator.go","file.line":593},"message":"Spawned new unit beat/metrics-monitoring: Starting: spawned pid '16824'","log":{"source":"elastic-agent"},"component":{"id":"beat/metrics-monitoring","state":"STARTING"},"unit":{"id":"beat/metrics-monitoring","type":"output","state":"STARTING"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-18T14:53:09.692Z","log.origin":{"file.name":"cmd/run.go","file.line":360},"message":"reexec shutdown channel triggered","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-18T14:53:09.892Z","log.logger":"reexec","log.origin":{"file.name":"reexec/reexec_windows.go","file.line":36},"message":"Running as Windows service; triggering service restart","log":{"source":"elastic-agent"},"ecs.version":"1.6.0"}

strawgate · November 18, 2024, 7:43pm

Can you attach the full log? Perhaps upload to a github gist or something similar?

chamara_sandun · November 19, 2024, 4:33am

Google Drive Link To Access All Logs

strawgate · November 19, 2024, 6:04am

I think the link may not have pasted correctly as that link is a hyperlink to my comment on your post

chamara_sandun · November 19, 2024, 9:09am

https://drive.google.com/drive/folders/1aOEaCCuMP5xvj0vBep4eqE0Ui4EzKMmM?usp=drive_link

strawgate · November 19, 2024, 5:29pm

{"log.level":"warn","@timestamp":"2024-11-18T14:53:35.621Z","log.logger":"transport","log.origin":{"file.name":"transport/tcp.go","file.line":53},"message":"DNS lookup failure \"securityonion\": lookup securityonion: no such host","ecs.version":"1.6.0"}

It looks like your Elasticsearch output is set to https://securityonion:9200 and that hostname is not resolvable from the node running Elastic Agent.

If you navigate to Kibana, under Fleet > Settings, you can find the Output settings and modify it to a hostname that is resolvable from the agent.

Topic		Replies	Views
Elastic Agent + Proxy + Fleet Server in Cloud not ingesting logs Elastic Security fleet , elastic-agent	2	922	June 13, 2022
How do I troubleshoot elastic agent not sending any logs to siem app SIEM	6	1097	November 9, 2021
Elastic-endpoint installed although defend integration is not applied to policy Endpoint Security	5	399	March 7, 2024
Elastic agent Unhealthy Endpoint Security fleet , elastic-agent	2	2704	September 9, 2022
Elastic-Agent installed, but not viewable in Security Hosts tab or logs in Kibana Endpoint Security docker , fleet	9	2453	April 4, 2022

Elastic Agent (Security Onion)

Related topics