hello team,
i have an elastic + kibana in a hetzner server behind pfsense, my problem is with elastic defend integration, the integration is not working! the agent apear as unhealthy, my setup is the elastic is accesible via a public ip, i believe that the defend integration is trying to access the instance using privat ip! how i can make it work?
thanks in advance
Let me elaborate some thoughts, hopefully it'll help. Obviously I can't be more specific with such limited information.
First of all talking about Elastic Defend, it always goes in tandem with Elastic Agent on the target machine. The Agent is not the EDR service, it's kind of universal coordinator of all Elastic integrations. The service behind Elastic Defend is called Elastic Endpoint.
When you see unhealthy status of Agent in Kibana, it can be unhealthy for reasons other than Defend integration, or indeed the unhealthy status is bubbling up from Endpoint service being unhealthy.
Both services have command line interface for troubleshooting
I'd suggest to start from the end, with Elastic Endpoint service.
The test command is designed specifically to verify accessibility of necessary external resources:
[os dependent path]\elastic-endpoint test output
Resolve any error indicated here. The inspect command might be helpful to verify current policy content vs expected one.
The problem can be also caused by issues with local Agent <-> Endpoint communication. The status command will help here.
Lastly, you can also generate the diagnostics bundle. It gathers fairly comprehensive overview of the Endpoint/Agent state, which is usually sufficient for Elastic support to pin-point any issue.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.