Hello,
because the new fleet stuff doesn't work for me (see here), I tried setting up an elastic agent in "stand alone" mode.
In Kibana>Fleet>Agents I clicked on "Add agent", downloaded the EA files and extracted them to a folder in C:\Program Files (x86)\elastic-agent-7.11-windows-x86_64
and then replaced the config file in that folder with the one provided in the Kibana "Add Agent" menu (elastic-agent.yml
). The policy I am using contains "System" and "Endpoint Security".
After that I executed elastic-agent.exe in powershell (admin) with the parameter "install --insecure" (I use it in LAN/VPN only), the installation was successful and in Kibana under Security>Hosts the Windows host was listed.
Now my problem:
The events I am getting in the Timeline are all just either event.category
: authentication
or configuration
, iam
or process
. Latter are not actual processes, but just other kind of authentication processes. No process start, no process name no network connection events, no file events, nothing at all in comparison to a normal Fleet installation.
Is there are setting I overlooked? In the elastic-agent.yaml I could clearly see that many different types of events are set to be captured but nothing of that is sent to Kibana, just these uninteresting auth events from windows and what it seems like the log file of elastic-agent's beats itself.
Please help.
TL;DR: I tried to add an agent to Elastic Security without fleet and log data are being sent, just no relevant ones.