@MAPER Thanks for trying Endpoint Security. Apologies for the late reply.
It looks like Endpoint may not have successfully installed on your Host machines.
Depending on the OS you're using, you can check for the existence of the Endpoint installation folder like below. This verifies that the Endpoint installed.
Windows:
check for the existence of: c:\Program Files\Elastic\Endpoint
macOS:
check for the existence of: /Library/Elastic/Endpoint
Linux:
check for the existence of: /opt/Elastic/Endpoint
If the none of those exist, then the Endpoint isn't installing correctly. If that is the case, do you have any other Security software on your hosts that may be conflicting with the Endpoint?
If the installation paths do exist, can you send us the Endpoint logs?
As root or admin, do the follow depending on OS.
Windows:
Zip up and attach the contents of: c:\Program Files\Elastic\Endpoint\state\log
macOS:
Zip up and attach the contents of: /Library/Elastic/Endpoint/state/log
Linux:
Zip up and attach the contents of: /opt/Elastic/Endpoint/state/log
One potential problem is that the Endpoint isn't properly configured to stream to your Elasticsearch instance. Inside of the logs you can check for a line similar to the below:
{"@timestamp":"xxxx","agent":{"id":"xxxx","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"notice","origin":{"file":{"line":86,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:86 Elasticsearch connection is down","process":{"pid":xxxx,"thread":{"id":xxxx}}}
"Elasticsearch connection is down" is the key string to search for.
Let me know what you find.