Elastic agent showing unhealthy with windows system


I have install Elastic Agent 7.11.1 on windows server 2012 and enroll it with Fleet.
Agent policy has 2 different integration as bellow:

  1. System
  2. Endpoint security

Elastic agent write the logs in windows server as bellow:

2021-02-24T13:02:52.483Z	ERROR	application/fleet_gateway.go:168	failed to dispatch actions, error: operator: failed to execute step sc-run, error: operation 'Exec' failed: : operation 'Exec' failed: 

This agent also shown as unhealthy in kibana UI as like bellow:

Same elastic agent configuration is working fine with centos.
I am using ELK stack v7.11.1

Please help me, to out from this situation.

Hi @jaykansagara thanks for checking out Endpoint Security!

I assume when you remove the Endpoint integration this issue goes away?

To help narrow down why Endpoint Security is failing to install can you do the following and share the install logs. One possible issue you might be hitting is if you installed a 32bit Agent (x86 download) on a 64bit machine. That is a known issue we're working to address. The solution to that is to install the x86_64 Agent in place of the x86 one.

  1. In the elastic-agent download zip, enter the directory data/elastic-agent-9b2fec/downloads (the elastic-agent-* directory might have a different hash in its name)
  2. Unzip endpoint security (unzip endpoint-security-7.11.1-windows-x86_64.zip)
  3. Try to install Endpoint directly and see what its log output is. To do this run cd endpoint-security-7.12.0-windows-x86_64 & endpoint-security.exe install --resources endpoint-security-resources.zip --log stdout --log-level trace

Make sure to install Endpoint from a Administrator cmd.exe prompt. Endpoint running without Agent is not supported, so after you install to check the logs, please uninstall with the command endpoint-security.exe uninstall.

A github issue to track automating the presentation of these logs in the UI is here

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.