Endpoint capability restriction error

We are on a 7.14 stack with 7.14 agent running. I'm seeing an error below which I've never seen before. It causes the Agent state to be degraded.

I'm a bit unclear on the capability restriction 'I deny(*) portion of the error.

Does anyone know what may cause this?

12:33:48.568 elastic_agent [elastic_agent][info] Elastic Agent status changed to: 'online'
12:33:48.568 elastic_agent [elastic_agent][info] input 'endpoint' is not run due to capability restriction 'I deny(*)'
12:33:48.568 elastic_agent [elastic_agent][warn] Elastic Agent status changed to: 'degraded'
12:33:48.573 elastic_agent [elastic_agent][info] New State ID is T4yUJqBY

Have you modified the capabilities.yml file? can you share the content of it?

@ruflin not to my knowledge, I was unaware of such file. Where exactly is it located? I'm not seeing it in the Agent directory.

Hm, if there is no file you should have all the capabilities.

  • What OS are you on?
  • How did you install the Elastic Agent?

@ruflin

We are on Win10 64bit.

But we are using the run command as opposed to the the install command for the agent.

@blaker @Kevin_Logan Any idea what could cause this?

Default capabilities does not include this, so a capabilities.yml would need to be present for that type of message to appear.

I would check the C:\Program Files\Elastic\Agent directory as well as the C:\Program Files\Elastic\Agent\data\elastic-agent-${version} directory to see if a capabilities.yml is present.

There is no capabilities file present in either directory.

image

image

Figured it out, ended up being something pretty simple. The Endpoint integration ended up being added to the Fleet server policy instead of the Agent policy. Just had to remove the integration from fleet server and it went healthy

Glad you figured it out. Yes that would be why that capability was denied, because that policy will not allow that integration.