It's my first post here so i would like to say hi everyone
I'm testing elastic security on our environment. I have installed few Elastic Agents on Windows Server 2019 and it works like a charm. Then we added elastic endpoint agent also to these hosts and all (7 to be exact) have same problem. Elastic Endpoint service is restarting constantly with same error on Windows EventLog:
Faulting application name: elastic-endpoint.exe, version: 188.8.131.52, time stamp: 0x62d6c0d5
Faulting module name: ntdll.dll, version: 10.0.17763.3232, time stamp: 0xd6e0b8e1
Exception code: 0xc0000374
Fault offset: 0x00000000000fc179
Faulting process id: 0x35a0
Faulting application start time: 0x01d8b6128c78df6c
Faulting application path: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 745226ea-c086-45dd-bfc8-60ee05d4001a
Faulting package full name:
Faulting package-relative application ID:
Data comes through, we can see events reported on Security Dashboard
Fresh new install of Elastic Stack 8.3.3 from official repo.
Hosted on local Hyper-V server.
VM OS: Debian 11 up-to-date
Elasticsearch: 3 nodes cluster - security enabled
Kibana, Fleet Server, Logstash installed together on separate vm
Agents: Windows Server 2019 hosted on VMware cluster (Version 1809 build 17763.3283 Installed 2022-08 Cumulative Updates)
All agents have logstash configured as output, then simple elasticagent pipline configured to Elasticsearch
All elements are on same subnet
3 servers with agent has antivirus installed, 4 have not.
I've googled what i can of this problem in last week. Here most significant changes i tried -
- Adding to whitelist ESET and MS Defender binaries
- Disabling MS Defender on all hosts completely
- Changed paged pool setting unable to allocate memory - Windows Server | Microsoft Docs (had similar issue before)
There are some crushdumps created, but could find a way to open and read them.
PS C:\Program Files\Elastic\Endpoint> dir .\cache\CrashDumps
Mode LastWriteTime Length Name
-a---- 22.08.2022 13:01 227737795 elastic-endpoint.exe.10244.protected.dmp
-a---- 22.08.2022 12:55 233779993 elastic-endpoint.exe.5540.protected.dmp
-a---- 22.08.2022 12:44 221925767 elastic-endpoint.exe.5560.protected.dmp
-a---- 22.08.2022 12:50 216568289 elastic-endpoint.exe.8436.protected.dmp
-a---- 22.08.2022 12:58 213973501 elastic-endpoint.exe.9076.protected.dmp
I've enabled debug from Fleet > Agent > Logs - pastebin below.
To be clear this is my first experience with Elastic Stack and it's highly probable that I'm missing something obvious. Would appreciate if someone has some idea what else can i try or can point me to some right direction.