Endpoint Security agents online but not sending any logs

parthmaniar · January 9, 2021, 8:05pm

Hello,

I hope this message finds you healthy and safe.

I am trying to gather logs through Elastic Endpoint Security. I can see the agents online and heartbeats with payload:

``
{
"endpoint-security": {
"@timestamp": "2021-01-09T00:03:34.0428499Z",
"Endpoint": {
"configuration": {
"inputs": [
{
"id": "b74b1a70-e523-11ea-bd03-bb1e8c6c445d",
"policy": {
"linux": {
"events": {
"file": true,
"network": true,
"process": true
},
"logging": {
"file": "info"
}
},
"mac": {
"events": {
"file": true,
"network": true,
"process": true
},
"logging": {
"file": "info"
},
"malware": {
"mode": "prevent"
}
},

``

I am however not getting any alerts or telemetry data from the systems using the security endpoint. Am I missing something? For example: I tested with eicar test malware, this was successfully detected by the agent, however there is no log entry or alert. The datastream shows last update in August 2020, when I did the first installation. What can I do to diagnose and fix this?

ferullo · January 11, 2021, 2:29pm

Hi @parthmaniar

It looks like you found the document that specifies what Elastic Endpoint should do on the host (it's "policy"), not a document sent by Elastic Endpoint to Elasticsearch.

Do you see any documents from Elastic Agent? What is Agent's status in the Management->Fleet->Agents tab?
Are you using a self-signed certificate?
Have you changed the namespace for the data stream from the default value?