I've installed the ECK-Stack helm charts in order to use the Elastic security features. I have Elasticsearch, Kibana, Fleet, and 3 Agents installed, all on version 8.15.0.
I've got my security rules working for most integrations. However, when I try to install the Elastic Defend integration for data collection, my agents are erroring on installing the integration.
Each agent is saying that the ElasticEndpoint service already exists, but that can't be true because I never installed it. I checked both the host machine and the running container to see if the service was running, but it looks like it wasn't running on either.
I noticed that the endpoint-security binary and policy were already existing in my eck-agent containers at /data/{agent_id}/components/endpoint-security and /data/{agent_id}/components/endpoint-security.spec.yml. Could this be the issue? Looking for any help on debugging this. Thanks!
Could you explain a bit how did you arrive with this state? Did you upgrade from earlier version?
Elastic Defend is no longer supported for containers. Even if you somehow put it there manually it won't work as the procfs paths are different inside a privileged container.
We used to provide preview version of it. It worked a bit differently than a typical installation. There is no systemd inside container so Agent cannot install Endpoint (the demon for Elastic Defend integration), instead Endpoint and Agent demons had to be preconfigured (embedded) in the container.
Thanks for the reply! I guess I must have misinterpreted how the Elastic Agents were working. I assumed the Elastic Agents were installing and running the integrations directly on the host machine.
I just found on the docs that it says it isn't supported via the Elastic Agent DaemonSet on Kubernetes:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
