Endpoints not showing up in Security Administration

Elastic Security
1

image
image1900×789 53.7 KB

Security administration unable to detect any host despite able to enroll the host with elastic agent (Status: Healthy).

Installed version 7.13.2 ELK stack with self signed certificates. Setup fleet server and able to enroll agent with security endpoint integration. Able to receive endpoint security logs. Enrolled multiple instances produce the same result.
Following are logs from the hosts security endpoints

{"@timestamp":"2021-06-24T06:16:16.6015902Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":112,"name":"MetadataThread.cpp"}}},"message":"MetadataThread.cpp:112 Operating System is: Windows 10 Enterprise Evaluation 2009 (10.0.19042.1052)","process":{"pid":3456,"thread":{"id":4060}}}
{"@timestamp":"2021-06-24T06:16:16.6015902Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":519,"name":"MetadataThread.cpp"}}},"message":"MetadataThread.cpp:519 Sending endpoint metadata","process":{"pid":3456,"thread":{"id":4060}}}
{"@timestamp":"2021-06-24T06:16:16.6024135Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":523,"name":"MetadataThread.cpp"}}},"message":"MetadataThread.cpp:523 Sending endpoint metric","process":{"pid":3456,"thread":{"id":4060}}}
{"@timestamp":"2021-06-24T06:16:16.6385318Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 1 documents to Elasticsearch","process":{"pid":3456,"thread":{"id":4564}}}
{"@timestamp":"2021-06-24T06:16:16.6994065Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 1 documents to Elasticsearch","process":{"pid":3456,"thread":{"id":4564}}}
{"@timestamp":"2021-06-24T06:16:16.9289913Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 74 documents to Elasticsearch","process":{"pid":3456,"thread":{"id":4564}}}
{"@timestamp":"2021-06-24T06:16:46.8817119Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 5 documents to Elasticsearch","process":{"pid":3456,"thread":{"id":4564}}}
{"@timestamp":"2021-06-24T06:16:47.1436673Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 63 documents to Elasticsearch","process":{"pid":3456,"thread":{"id":4564}}}
{"@timestamp":"2021-06-24T06:17:16.9967916Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 1 documents to Elasticsearch","process":{"pid":3456,"thread":{"id":4564}}}
{"@timestamp":"2021-06-24T06:17:17.297292Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 147 documents to Elasticsearch","process":{"pid":3456,"thread":{"id":4564}}}
{"@timestamp":"2021-06-24T06:17:46.9998973Z","agent":{"id":"360f4a95-776e-12fa-7d00-a4382423d8c9","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 1 documents to Elasticsearch","process":{"pid":3456,"thread":{"id":4564}}}
2

@Jukocross
Thanks for using Elastic Security.

The Administration page requires that an ES transform runs in the background. It should have been installed for you - can you verify that you have a transform named similarly to endpoint.metadata_current-default-<version>?

You can do this in the UI by navigating to Stack Management > Transforms

You should see something like this:

image
image2880×1574 307 KB

If by chance there is a Transform and it's stopped, you can start it like this:

image
image2880×1582 342 KB

After the transform starts and a few minutes pass, you should see data in the Administration page.

Let me know if that helps.

3

@Kevin_Logan
Thank for helping out!

The transform endpoint.metadata_current-default-<version> came back up after a restart as it status was failed.

4

@Jukocross

I'm glad that helped! And thank you for writing back and verifying.

It would be good on our side to understand why the transform failed so that we can fix potential bugs and prevent this from happening in the future.

If you are able, do you mind looking at the messages for the transform on the same Transforms page?

image
image2880×1564 406 KB

You may see something here that indicates the failure that you saw. Any failure messages here may help us understand why it failed on your end.

5

@Kevin_Logan

Apologies for the late reply.

After checking the messages, I identified one red alert with the following message.

Failed to gather field mappings for index [metrics-endpoint.metadata_current_default]

image
image1912×728 121 KB

Thanks for the follow up and will like to understand the reason it fails too!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.