Elastic defend with elastic instance in hetzner

hello team,

i have an elastic + kibana in a hetzner server behind pfsense, my problem is with elastic defend integration, the integration is not working! the agent apear as unhealthy, my setup is the elastic is accesible via a public ip, i believe that the defend integration is trying to access the instance using privat ip! how i can make it work?

thanks in advance

Let me elaborate some thoughts, hopefully it'll help. Obviously I can't be more specific with such limited information.

First of all talking about Elastic Defend, it always goes in tandem with Elastic Agent on the target machine. The Agent is not the EDR service, it's kind of universal coordinator of all Elastic integrations. The service behind Elastic Defend is called Elastic Endpoint.

When you see unhealthy status of Agent in Kibana, it can be unhealthy for reasons other than Defend integration, or indeed the unhealthy status is bubbling up from Endpoint service being unhealthy.

Both services have command line interface for troubleshooting

I'd suggest to start from the end, with Elastic Endpoint service.
The test command is designed specifically to verify accessibility of necessary external resources:
[os dependent path]\elastic-endpoint test output

Resolve any error indicated here. The inspect command might be helpful to verify current policy content vs expected one.

The problem can be also caused by issues with local Agent <-> Endpoint communication. The status command will help here.

Lastly, you can also generate the diagnostics bundle. It gathers fairly comprehensive overview of the Endpoint/Agent state, which is usually sufficient for Elastic support to pin-point any issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.