Endpoint Security Integration not working localhost

cwobuzz · April 30, 2021, 4:03pm

I am using elastic-agent 7.12.1 and elasticsearch/kibana docker 7.12.1. Everything is running as https://0.0.0.0

Setup is here if needed: Setting-up-Docker-Elastic-Kibana-Running-Sysmon-And-Agent/.README.md at master · cwobuzz/Setting-up-Docker-Elastic-Kibana-Running-Sysmon-And-Agent · GitHub

Windows and System integrations are working fine. But Endpoint Security is not. It was working with 7.11.X This is my error from the endpoint log:

{"@timestamp":"2021-04-30T09:17:00.7532119Z","agent":{"id":"acdfc0ef-422f-7096-baa6-d865ba4b9c49","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"error","origin":{"file":{"line":38,"name":"Http.cpp"}}},"message":"Http.cpp:38 CURL error 7: Error [Failed to connect to 0.0.0.0 port 9200: The requested address is not valid in its context.]","process":{"pid":11804,"thread":{"id":10740}}}                                                                                                    {"@timestamp":"2021-04-30T09:17:00.7532119Z","agent":{"id":"acdfc0ef-422f-7096-baa6-d865ba4b9c49","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"notice","origin":{"file":{"line":88,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:88 Elasticsearch connection is down","process":{"pid":11804,"thread":{"id":10740}}}                                                                                                                                                         {"@timestamp":"2021-04-30T09:17:01.0048744Z","agent":{"id":"acdfc0ef-422f-7096-baa6-d865ba4b9c49","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"warning","origin":{"file":{"line":336,"name":"ProcessCache.cpp"}}},"message":"ProcessCache.cpp:336 Missed a termination event for [10172::C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe]","process":{"pid":11804,"thread":{"id":13304}}}                                                                                       {"@timestamp":"2021-04-30T09:17:03.9658814Z","agent":{"id":"acdfc0ef-422f-7096-baa6-d865ba4b9c49","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":125,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:125 Agent check-in returned status Success","process":{"pid":11804,"thread":{"id":13400}}}                                                                                                                                                             {"@timestamp":"2021-04-30T09:17:05.7601611Z","agent":{"id":"acdfc0ef-422f-7096-baa6-d865ba4b9c49","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":1520,"name":"HttpLib.cpp"}}},"message":"HttpLib.cpp:1520 Establishing GET connection to [https://0.0.0.0:9200/_cluster/health]","process":{"pid":11804,"thread":{"id":10740}}}

PublicName · April 30, 2021, 6:28pm

On the right side of Fleet in Kibana click Settings. Change the two URL's to match your IP/Hostname of the instance.

Reregister the agent. If you don't have SSL setup or it's self signed use --insecure at the end of the connection string.

cwobuzz · April 30, 2021, 7:08pm

They are both set up in fleet as https\0.0.0.0:XXXX 5601 or 9200. It works for system and windows integration. So it's kind of working.

PublicName · April 30, 2021, 8:27pm

That's default which is does not read the config from the actual setup. Update those to reflect the Kibana and Elastic instance that your agent's will need to talk to.

You should be good to go afterwards. Fair warning 7.12.1 has other issues. Try 7.12 agent it seems to be far more reliable.

system · May 28, 2021, 8:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.