HI,
I have my Elastic cluster , Kibana and Fleet up and running. Now I created New Agent-policy it has Endpoint and system integration. When I am Adding the agent client system the Agent installed successfully and Health but after 2 to 5 min's the Agent status are becoming Unhealthy.
And I am getting only system events but not Endpoint security events.
Can anyone help me soling this issue. I need that My agents should be Health and sending all types of events.
@MAPER Thanks for trying Endpoint Security. Apologies for the late reply.
It looks like Endpoint may not have successfully installed on your Host machines.
Depending on the OS you're using, you can check for the existence of the Endpoint installation folder like below. This verifies that the Endpoint installed.
Windows:
check for the existence of: c:\Program Files\Elastic\Endpoint
macOS:
check for the existence of: /Library/Elastic/Endpoint
Linux:
check for the existence of: /opt/Elastic/Endpoint
If the none of those exist, then the Endpoint isn't installing correctly. If that is the case, do you have any other Security software on your hosts that may be conflicting with the Endpoint?
If the installation paths do exist, can you send us the Endpoint logs?
As root or admin, do the follow depending on OS.
Windows:
Zip up and attach the contents of: c:\Program Files\Elastic\Endpoint\state\log
macOS:
Zip up and attach the contents of: /Library/Elastic/Endpoint/state/log
Linux:
Zip up and attach the contents of: /opt/Elastic/Endpoint/state/log
One potential problem is that the Endpoint isn't properly configured to stream to your Elasticsearch instance. Inside of the logs you can check for a line similar to the below:
{"@timestamp":"xxxx","agent":{"id":"xxxx","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"notice","origin":{"file":{"line":86,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:86 Elasticsearch connection is down","process":{"pid":xxxx,"thread":{"id":xxxx}}}
"Elasticsearch connection is down" is the key string to search for.
Let me know what you find.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.