Elastic Endpoint - Filebeat - Java Error

mikemitchell · August 27, 2021, 2:17pm

I'm receiving an error message on all of my endpoints utilizing the filebeat agent spawned by the System integration for Windows. I was wondering if it is based on the Java installation of my windows machines or the filebeat implementation.

Version: 7.14.0
data_stream.dataset: system.security

// Cannot invoke "java.util.Map.size()" because "m" is null

Kevin_Logan · September 2, 2021, 5:25pm

@mikemitchell thanks for using Endpoint. Apologies for the late reply.

Can you give some more information here? Are you seeing side effects of this error? For instance, are Endpoints not installing correctly at all? Are you able to get Agents/Endpoints enrolled and visible in the UI?

Or is this an error you're seeing in the Endpoint logs, but otherwise your Agents/Endpoints are running?

mikemitchell · September 23, 2021, 1:46pm

The only side effects of this error is the amount of logging it is causing. We are seeing about 20,000 logs per endpoint in the span of 6 minutes.

The endpoint agents and filebeat are running properly so we are unsure why we are getting these java errors. We are seeing the errors in the actual endpoint logs in Kibana and Elastic.

"error.message": [
  "Cannot invoke \\\"java.util.Map.size()\\\" because \\\"m\\\" is null"
],

mikemitchell · September 23, 2021, 1:58pm

This log is coming from the filebeat implementation of the endpoint policies for Windows Event logging

andrewkroh · September 23, 2021, 2:17pm

Could you share the full JSON event for one of these with the error.message to get more context on where and possibly why this is happening?

What version of the system integration are you running?

acamro · September 25, 2021, 9:19pm

We are seeing the same error for Elastic Agent 7.14.1.

Agent type: filebeat
Windows Event ID: 5156

Message:

The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: 1132
Application Name: \device\harddiskvolume2\windows\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 172.16.0.205
Destination Port: 57972
Protocol: 17

Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44

I hope this helps something to fix this issue.

andrewkroh · October 4, 2021, 12:44pm

@acamro Could you please check what version of the system integration you have installed. The versioning of the integrations is independent of the Agent version.

MichaelHuff · October 22, 2021, 5:28pm

I am seeing the same logs in my system as well. I am currently running Elastic Agent 7.15, and my system integration version is 1.4

system · November 19, 2021, 5:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.