Hey, sorry for not being here for a couple days.
Alright, just want to double-check what setup do you have. So you have an Elastic Agent that you've manually enrolled in the standalone mode (not in the Fleet mode). You've configured some integrations (like the system one which should be enabled by default), including the Endpoint Security integration - in the standalone mode in your elastic-agent.yml
file on the host. You have this Agent running, and you can see some logs from it in the Observability app. Is this correct?
The problem with that is Elastic documentation says that Endpoint Security requires Agent to be enrolled and managed via Fleet:
To configure the Elastic Agent, Endpoint Security requires enrollment through Fleet to enable the integration.
So I'm guessing - either our docs are not up-to-date, or maybe the Endpoint integration is actually not configured in your Agent configuration. I requested additional comments on that from folks who work on the Endpoint integration.
Meanwhile, what I'd suggest is to follow the official guide and configure Endpoint via Fleet. Also, could you please share your elastic-agent.yml
?
When you've done that, I anticipate you might encounter some issues with Kaspersky antivirus installed on the host. In general, you shouldn't have 2+ antivirus software installed on the same machine, because they may conflict with each other. There would be two options in this case:
- disable/uninstall Kaspersky, Microsoft Defender and other AVs on the host
- add them to each other's exceptions (see Issues with Elastic Agent and Defender? - #2 by gabriel.landau for more details)