Hello everyone, I have this problem and I am looking for your help.
I created a new policy in Fleet that includes Elastic Defend integration, but my newly registered elastic agent is not registered to the host of the endpoint, why is this? What is the solution or what is the problem if I query this?
It's worth mentioning that I used logstash to export the data.
Hello there,
Can you check the followings:
1. Is Elastic Defend package installed on the Host?
Are the related folders & files created with proper Fleet/ES or Logstash parameters?
On Windows:
On Linux:
ls -l /opt/Elastic/Endpoint/
sudo cat /opt/Elastic/Endpoint/elastic-endpoint.yaml
2. Data Ingestion
Are you receiving any events from the Elastic Defend package?
Check for the following data stream, do you have any of the following DataStreams created? (Assuming you enabled log collection within the Elastic-Defend configuration)
3. Transform Status
If Elastic Defend package is installed, DataStreams are created (+ validated receiving logs from this specific endpoint in of the above endpoint related DataStreams (Filtering on the host.name in discover), double check if the Transform jobs used to visualise endpoint status are running & healthy:
Regards
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.