Elastic endpoint isn't installed after adding Elastic Defend integration

Hello world, I have a problem when testing Elastic Security with "Current plan:Basic".

OS Version: Ubuntu 20.04 for Elastic Agent and Elasticsearch-Kibana-Fleet serve
Elastic Stack Version: 8.13.4

I am using the superuser "elastic" to log in to Kibana.

I have an Elasticsearch-Kibana-Fleet server with an auto-signed certificate. I created a policy with some integrations, I downloaded the Elastic Agent on another host and enrolled the policy token. Everything seems alright until I try to add Elastic Defend to this policy.
The status of the machine is "Unhealthy", and the error message is "Elastic Defend requires Elastic Agent to be installed at the default installation path". I find that he package '/opt/Elastic/Endpoint' is not installed.

And the log is

11:00:49.668
elastic_agent
[elastic_agent][info] Metrics endpoint listening on: 127.0.0.1:6791 (configured: http://localhost:6791)
11:00:50.808
elastic_agent
[elastic_agent][error] Spawned new component endpoint-default: Elastic Defend requires Elastic Agent be installed at the default installation path

I put my conf file here maybe it can help:
-rw-rw---- 1 kibana kibana 7956 mai 10 13:13 kibana.yml:

server.port: 5601
server.host: "0.0.0.0"
server.publicBaseUrl: "https://kibana:5601"
server.ssl.enabled: true
server.ssl.certificateAuthorities: ["/etc/kibana/certs/ca/ca.crt"]
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key
elasticsearch.hosts: ["https://elastic:9200"]
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/ca/ca.crt" ]
elasticsearch.ssl.verificationMode: full
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
pid.file: /run/kibana/kibana.pid

and:
-rwxrwxrwx 1 elasticsearch elasticsearch 4046 mai 10 11:06 elasticsearch.yml

cluster.name: es-demo
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: elastic
http.port: 9200
transport.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  certificate: certs/elastic/elastic.crt
  key: certs/elastic/elastic.key
  certificate_authorities: certs/ca/ca.crt
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["Elastic-Kibana-Fleet"]
http.host: 0.0.0.0

and the command to install elastic-agent is:

#curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.13.4-linux-x86_64.tar.gz
#tar xzvf elastic-agent-8.13.4-linux-x86_64.tar.gz
cd elastic-agent-8.13.4-linux-x86_64
sudo ./elastic-agent install --url=https://fleet-server:8220 --enrollment-token=My_Policy_Enrollment_token --fleet-server-es-ca=./ca-fleet.crt --certificate-authorities=./ca-fleet.crt

the message is:

Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
[ ===] Service Started  [3m50s] Elastic Agent successfully installed, starting enrollment.
[====] Waiting For Enroll...  [3m51s] {"log.level":"info","@timestamp":"2024-05-14T11:00:42.261+0200","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":519},"message":"Starting enrollment to URL: https://fleet-server:8220/","ecs.version":"1.6.0"}
[   =] Waiting For Enroll...  [3m52s] {"log.level":"info","@timestamp":"2024-05-14T11:00:43.537+0200","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":482},"message":"Restarting agent daemon, attempt 0","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-05-14T11:00:43.543+0200","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":300},"message":"Successfully triggered restart on running Elastic Agent.","ecs.version":"1.6.0"}
Successfully enrolled the Elastic Agent.
[   =] Done  [3m52s]                               
Elastic Agent has been successfully installed

I tried to uninstall the agent and reinstall it, but it didn't work. Do you have any ideas for this probleme? Did i miss some steps?

Best regards

I assume the second machine is also Ubuntu 22.04?

The installation message indicates that Agent was going to be installed in the default installation path /opt/Elastic/Agent. Is the /opt a regular directory on a root drive or a mount point?

Thank you for your reply, Lesio! :blush:

I have one Agent installed on Ubuntu 20 (and the second one on Ubuntu 16), and my server is also on Ubuntu 20. The directory /opt/ is a regular directory with the correct permissions (drwxr-xr-x). The path for all my Agents is /opt/Elastic/Agent/.

I also tested adding Elastic Defend to the policy of my fleet server, and it worked. I noticed that for the the 'Last updated by' is elastic, while for the (for my fleet server), the 'Last updated by' is system. I'm not sure if this has any impact.

Then, when I clicked to the page of the Data Collection policy (for my Agents), it detected that there are 2 agents which is correct. However, when I clicked the 'save' button, it said it would update 5 endpoints..."

I have no idea what happened to my Data Collection policy

Thanks a lot

The surprising number of endpoints, 5 instead of 2, might be caused by inactive endpoints which you can see going via Fleet page, adding it into view from the Status drop down

Btw, I think installation issues like yours might be also caused by se-linux configuration.

Btw 2, Ubuntu 16 is not supported by 8.13.x, see Support Matrix | Elastic