I have configured the beats and EDR and I am getting all the events from the different hosts. I have enabled all the preset security rules but I am not getting any alerts.
This is the message I get when doing the test.
I have already installed the certificate on the host machine
Hi @Fatima thanks for checking out Endpoint!
When you say "I am getting all the events from the different hosts", what events/documents do you mean are appearing in Elasticsearch/Kibana? Please focus on just documents from the host you ran that
elastic-endpoint.exe test output command on.
What I'm trying to understand is what Elastic components are or are not working for you. It is possible that some of the components (Elastic Agent, various Beats depending on the integrations you've installed, or Elastic Endpoint) to work while others do not work. It clearly looks like Endpoint is not working but I am not sure if the problem is isolated to just Endpoint. Knowing that will impact how we diagnose and fix this. The fact that you aren't getting any alerts is probably caused by documents from Endpoint and/or Beats not being successfully written to Elasticsearch, so let's focus on getting those documents written to Elasticsearch for now.
From looking at the output, I think it's worth at least taking a stab at what might be wrong and offering some initial help. It appears that the certificate you've installed isn't valid for the DNS/IP being written to. If this is the case, you can modify the level of SSL verification being done to hopefully address the issue.
In Endpoint's existing config file on disk (
c:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml) you should currently see a section like:
output: elasticsearch: api_key: REDACTED hosts: - https://REDACTED
To update the SSL verification, go to Fleet -> Settings. Select the edit icon on the right for the output being used in the Outputs list (it's probably "default"). A right hand fly out will appear. In it, add the following to the Advanced YAML configuration.
ssl: verification_mode: certificate
verification_mode values are documented online. If
certificate does not work you might want to try
none, if that is acceptable for your use case)
After you hit Save and apply settings, the change will be pushed out to all Agents in your Fleet using that output config. To verify it applied correctly to the Endpoint you're testing with, you can check out
c:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml again. You should now see content in it like
output: elasticsearch: api_key: REDACTED hosts: - https://REDACTED ssl: verification_mode: certificate
I hope this helps.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.