Elastic-agent without sending logs no Elastic Security 8.15.1

Elastic Security
1

Hi folks! Recently, I updated my cloud deployment for Elastic Security8.15.1 as the agents. In both environments, with this version, you may notice the following behavior: Elastic-agent has a healthy status but does not send logs. After restarting the agents, the logs will check the deployment.

I use Elastic Security to collect logs, neflow and Widnwdos events. Is someone going through that same situation?

Below, some logs were collected, however, I was not able to detect any abnormalities.

11:34:23.413
elastic_agent
[elastic_agent][debug] Checking started
11:34:23.474
elastic_agent
[elastic_agent][info] control checkin v2 protocol has chunking enabled
11:34:23.475
elastic_agent
[elastic_agent][info] Component state changed osquery-default (STARTING->HEALTHY): Healthy: communicating with pid '1519813'
11:34:23.549
elastic_agent
[elastic_agent][debug] Starting component "cel-default"
11:34:23.550
elastic_agent
[elastic_agent][info] Spawned new component cel-default: Starting: spawned pid '1519831'
11:34:23.550
elastic_agent
[elastic_agent][info] Spawned new unit cel-default: Starting: spawned pid '1519831'
11:34:23.550
elastic_agent
[elastic_agent][info] Spawned new unit cel-default-cel-ti_abusech-fa29b35c-e222-41e3-8e18-38ab3e3fa87b: Starting: spawned pid '1519831'
11:34:23.635
elastic_agent
[elastic_agent][debug] using previously saved ack token: c071ce9c-a244-499f-8f71-864460a98267
11:34:23.635
elastic_agent
[elastic_agent][debug] correcting agent loglevel from debug to debug using coordinator state
11:34:23.635
elastic_agent
[elastic_agent][debug] Request method: POST, path: /api/fleet/agents/714b5cf8-0504-466f-be7c-3218c40478b3/checkin, reqID: 01J8FMW50KNE2N9J1T0YY6YQE5
11:34:23.635
elastic_agent
[elastic_agent][debug] Creating new request to request URL https://63dc335ad919436295391db05b7e19e6.fleet.us-east-1.aws.found.io:443/api/fleet/agents/714b5cf8-0504-466f-be7c-3218c40478b3/checkin?
11:34:23.798
elastic_agent
[elastic_agent][info] control checkin v2 protocol has chunking enabled
11:34:23.799
elastic_agent
[elastic_agent][info] Component state changed cel-default (STARTING->HEALTHY): Healthy: communicating with pid '1519831'
11:34:23.945
elastic_agent
[elastic_agent][info] Unit state changed udp-default (STARTING->HEALTHY): Healthy
11:34:23.945
elastic_agent
[elastic_agent][info] Unit state changed udp-default-udp-fortinet-3bf8596a-a4f6-4851-9ce5-e5eba10c1cb6 (STARTING->HEALTHY): Healthy
11:34:24.120
elastic_agent
[elastic_agent][debug] Starting component "httpjson-default"
11:34:24.121
elastic_agent
[elastic_agent][info] Spawned new component httpjson-default: Starting: spawned pid '1519848'
11:34:24.121
elastic_agent
[elastic_agent][info] Spawned new unit httpjson-default-httpjson-ti_otx-c1c15beb-8e75-48ee-825b-a832cbade517: Starting: spawned pid '1519848'
11:34:24.121
elastic_agent
[elastic_agent][info] Spawned new unit httpjson-default-httpjson-cisa_kevs-2828f5a1-9229-478f-aecf-51fb8ea9ea44: Starting: spawned pid '1519848'
11:34:24.121
elastic_agent
[elastic_agent][info] Spawned new unit httpjson-default: Starting: spawned pid '1519848'
11:34:24.397
elastic_agent
[elastic_agent][info] Unit state changed netflow-default-netflow-netflow-826693eb-d002-4da7-9a1b-fb5e6f5b3405 (STARTING->HEALTHY): Healthy
11:34:24.398
elastic_agent
[elastic_agent][info] Unit state changed netflow-default (STARTING->HEALTHY): Healthy
11:34:24.478
elastic_agent
[elastic_agent][info] Unit state changed osquery-default (STARTING->HEALTHY): Healthy
11:34:24.479
elastic_agent
[elastic_agent][info] Unit state changed osquery-default-ba4588e6-685c-4060-a339-a49183b1dc1b (STARTING->HEALTHY): Healthy
11:34:24.552
elastic_agent
[elastic_agent][info] control checkin v2 protocol has chunking enabled
11:34:24.552
elastic_agent
[elastic_agent][info] Component state changed httpjson-default (STARTING->HEALTHY): Healthy: communicating with pid '1519848'
11:34:24.572
elastic_agent
[elastic_agent][debug] Starting component "log-default"
11:34:24.573
elastic_agent
[elastic_agent][info] Spawned new component log-default: Starting: spawned pid '1519999'
11:34:24.573
elastic_agent
[elastic_agent][info] Spawned new unit log-default-logfile-system-db513aef-0ba7-4ece-a945-27891bbabe47: Starting: spawned pid '1519999'
11:34:24.573
elastic_agent
[elastic_agent][info] Spawned new unit log-default: Starting: spawned pid '1519999'
11:34:24.715
elastic_agent
[elastic_agent][debug] Starting component "filestream-monitoring"
11:34:24.804
elastic_agent
[elastic_agent][info] Unit state changed cel-default (STARTING->HEALTHY): Healthy
11:34:24.882
elastic_agent
[elastic_agent][info] Unit state changed cel-default-cel-ti_abusech-fa29b35c-e222-41e3-8e18-38ab3e3fa87b (STARTING->HEALTHY): Healthy
11:34:24.953
elastic_agent
[elastic_agent][info] control checkin v2 protocol has chunking enabled
11:34:25.275
elastic_agent
[elastic_agent][info] control checkin v2 protocol has chunking enabled
11:34:25.275
elastic_agent
[elastic_agent][info] Component state changed log-default (STARTING->HEALTHY): Healthy: communicating with pid '1519999'
11:34:25.558
elastic_agent
[elastic_agent][info] Unit state changed httpjson-default (STARTING->HEALTHY): Healthy
11:34:25.561
elastic_agent
[elastic_agent][info] Unit state changed httpjson-default-httpjson-ti_otx-c1c15beb-8e75-48ee-825b-a832cbade517 (STARTING->HEALTHY): Healthy
11:34:25.561
elastic_agent
[elastic_agent][info] Unit state changed httpjson-default-httpjson-cisa_kevs-2828f5a1-9229-478f-aecf-51fb8ea9ea44 (STARTING->HEALTHY): Healthy
11:34:26.280
elastic_agent
[elastic_agent][info] Unit state changed log-default (STARTING->HEALTHY): Healthy
11:34:26.283
elastic_agent
[elastic_agent][info] Unit state changed log-default-logfile-system-db513aef-0ba7-4ece-a945-27891bbabe47 (STARTING->HEALTHY): Healthy
11:35:05.967
elastic_agent
netflow-v9] FlowSet ID 262 length 84","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"netflow-default","type":"netflow"},"log":{"source":"netflow-default"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"input.netflow","log.origin":{"file.line":228,"file.name":"netflow/input.go","function":"github.com/elastic/beats/v7/x-pack/filebeat/input/netflow.(*logDebugWrapper).Write"},"ecs.version":"1.6.0"}
11:36:45.967
elastic_agent
mponent":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"httpjson-default","type":"httpjson"},"log":{"source":"httpjson-default"},"target":"timestamp","value":"2024-09-23T13:36:39Z","log.origin":{"file.line":146,"file.name":"httpjson/value_tpl.go","function":"github.com/elastic/beats/v7/x-pack/filebeat/input/httpjson.tryDebugTemplateValue"},"service.name":"filebeat","id":"httpjson-ti_otx.threat-c1c15beb-8e75-48ee-825b-a832cbade517","input_source":"https://otx.alienvault.com/api/v1/indicators/export","input_url":"https://otx.alienvault.com/api/v1/indicators/export","ecs.version":"1.6.0","log.logger":"input.httpjson-cursor","ecs.version":"1.6.0"}
11:37:35.967
elastic_agent
"type":"filestream"},"log":{"source":"filestream-monitoring"},"log.origin":{"file.line":212,"file.name":"add_docker_metadata/add_docker_metadata.go","function":"github.com/elastic/beats/v7/libbeat/processors/add_docker_metadata.(*addDockerMetadata).Run"},"service.name":"filebeat","ecs.version":"1.6.0","log.logger":"add_docker_metadata","ecs.version":"1.6.0"}
2

The contour solution was a downgrade in Elastic Agent, for version 8.14.3 and also normalizing or sending two logs.

3

I would not call a downgrade a solution, here is the issue: Fleet and Elastic Agent 8.15.1 | Fleet and Elastic Agent Guide [8.15] | Elastic
Known issues section

Solution: upgrade to v8.15.2

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.