Fleet enrollment Ok but doesnt appear on security administration page

francescouk · July 20, 2021, 5:01pm

Hi there,

I cannot find why some servers appears on the security admin page and others not. Can someone point me to the right direction to sort this out?

Follow the fleet agent screen:

Security Admin page:

Also, I´m attaching the logs from one of the servers that does not appear C:\Program Files\Elastic\Endpoint\state\log:

{"@timestamp":"2021-07-20T14:55:13.9091759Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":1859,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:1859 Backing up current artifacts to C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\backup-user-artifacts","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9091759Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":611,"name":"File.cpp"}}},"message":"File.cpp:611 Renaming C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\user-artifacts => C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\backup-user-artifacts","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9091759Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":1874,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:1874 Installing new artifacts to C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\user-artifacts","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9091759Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":611,"name":"File.cpp"}}},"message":"File.cpp:611 Renaming C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\tmp-user-artifacts => C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\user-artifacts","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9099338Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":1877,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:1877 New artifacts installed successfully","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9149361Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":371,"name":"Response.cpp"}}},"message":"Response.cpp:371 Policy action download_user_artifacts: success - Successfully downloaded user artifacts","process":{"pid":6344,"thread":{"id":6452}}}

Thanks in advance

Kevin_Logan · July 21, 2021, 6:15pm

@francescouk

Can you verify that the servers you are not seeing in the Admin page are streaming successfully to ES?

You can do this through the UI by going to "Analytics > Discover". In the search bar enter query like this host.name : "<missing-hostname>" and agent.type : "endpoint" and see if there are some recent docs for one of your missing Endpoint hostnames.

You should seem something like this if you have relevant docs:

If there are docs streaming for the one of the missing hostnames, you can try the following:

The Administration page requires that an ES transform runs in the background. It should have been installed for you - can you verify that you have a transform named similarly to endpoint.metadata_current-default-<version>?

You can do this in the UI by navigating to "Stack Management > Transforms"

You should see something like this:

If by chance there is a Transform and it's stopped, you can start it like this:

After the transform starts and a few minutes pass, you should see data in the Administration page.

Let me know if that helps.

francescouk · July 22, 2021, 12:28pm

Hello there!

I would like to thank you for the help. Indeed the endpoint.metada was stopped. As soon as I started, all the others show up on the security administration page.

Really appreciate for the best advice.

Best regards,

system · August 19, 2021, 12:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Endpoint Security Not Showing Host Events Endpoint Security	4	1072	July 2, 2021
Endpoints not showing up in Security Administration Elastic Security	5	1029	July 27, 2021
Fleet enrollment is done but doesn't appear on Security > Administration > Endpoints Endpoint Security	6	864	February 4, 2021
Logs not showing in fleet Endpoint Security fleet	6	1363	March 1, 2022
Elastic-Agent installed, but not viewable in Security Hosts tab or logs in Kibana Endpoint Security docker , fleet	9	2454	April 4, 2022

Fleet enrollment Ok but doesnt appear on security administration page

Related topics