End point security fails for Elastic Agent with error "Missed two check-ins"

Elastic Security Endpoint Security
1

When I install elastic-agent and fleet-server against a successfully running https/SSL Elasticsearch and Kibana.....The output indicates a successful start and enrolment but a few minutes later the elastic-agent status indicates a failure. Any idea what is the meaning of the errors below ?

root@efire:~# /usr/bin/elastic-agent status
Status: FAILED
Message: (no message)
Applications:

  • metricbeat (HEALTHY)
    Running
  • fleet-server (CONFIGURING)
    Re-configuring
  • filebeat_monitoring (HEALTHY)
    Running
  • metricbeat_monitoring (HEALTHY)
    Running
  • endpoint-security (FAILED)
    Missed two check-ins
  • filebeat (HEALTHY)
    Running
    root@efire:~#
tail -f /opt/Elastic/Endpoint/state/log/endpoint-000000.log

{"@timestamp":"2022-02-17T02:41:31.408567293Z","agent":{"id":"00000000-0000-0000-0000-000000000000","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"notice","origin":{"file":{"line":93,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:93 *No valid comms client available*","process":{"pid":15158,"thread":{"id":15165}}}

sudo ./elastic-agent install --url=https://efire.consulting.com:8220   --fleet-server-es=https://fire.consulting.com:9200   --fleet-server-service-token=<removed>    --fleet-server-policy=2016d7cc-135e-5583-9758-3ba01f5a06e5   --certificate-authorities=/etc/elasticagent/ca.crt   --fleet-server-es-ca=/etc/elasticagent/efire.crt   --fleet-server-cert=/etc/elasticagent/fleet-server/fleet-server.crt   --fleet-server-cert-key=/etc/elasticagent/fleet-server/fleet-server.key
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:Y
2022-02-16T18:36:06.025Z	INFO	cmd/enroll_cmd.go:743	Waiting for Elastic Agent to start Fleet Server
2022-02-16T18:36:12.038Z	INFO	cmd/enroll_cmd.go:757	Fleet Server - Running on policy with Fleet Server integration: 2016d7cc-135e-5583-9758-3ba01f5a06e5; missing config fleet.agent.id (expected during bootstrap process)
2022-02-16T18:36:12.788Z	INFO	cmd/enroll_cmd.go:454	Starting enrollment to URL: https://efire.consulting.com:8220/
2022-02-16T18:36:13.701Z	INFO	cmd/enroll_cmd.go:254	Successfully triggered restart on running Elastic Agent.
Successfully enrolled the Elastic Agent.
Elastic Agent has been successfully installed.
2

It's hard to say what's happening, need more information. If you are comfortable, please PM the entire log file:

/opt/Elastic/Endpoint/state/log/endpoint-000000.log

EDIT: I can provide an upload link

3

I see this interface isn't allowing me to upload *.log file or *.zip . Will you know the reason? can't even paste more than 35000 characters here apparently.
4

Ok, I will DM an upload link.

5

We looked through the Elastic Endpoint logs, and this appears to be the relevant bits:

"AgentConnectionInfo.cpp:128 Validated agent (5366) is root/admin"
"AgentConnectionInfo.cpp:136 Established stage 1 connection to agent"
"AgentComms.cpp:1001 Connecting to Agent."
... snip ...
"AgentComms.cpp:1025 Unable to make GRPC connection in deadline(60s). Fetching connection info again"

It seems Elastic Endpoint was able to make a bootstrap connection to Elastic Agent but was not able to make a grpc connection. The bootstrap connection uses the IP 127.0.0.1, but the grpc connection uses localhost. Please confirm whether or not localhost exists in /etc/hosts

6

Thanks a lot Nick , Adding an entry for localhost in /etc/hosts makes endpoint security work like a charm .

u@efire:~# /usr/bin/elastic-agent status
Status: HEALTHY
Message: (no message)
Applications:
  * endpoint-security      (HEALTHY)
                           Protecting with policy {xxxxxxxxxxxxxx}
  * filebeat               (HEALTHY)
                           Running
  * fleet-server           (CONFIGURING)
                           Re-configuring
  * filebeat_monitoring    (HEALTHY)
                           Running
  * metricbeat_monitoring  (HEALTHY)
                           Running
  * metricbeat             (HEALTHY)
                           Running
u@efire:~#

PS : Will it help to add this fundamental but obvious configuration option in the documentation ? Will be happy to volunteer for documenting .

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.