Fleet enrollment Ok but doesnt appear on security administration page

Hi there,

I cannot find why some servers appears on the security admin page and others not. Can someone point me to the right direction to sort this out?

Follow the fleet agent screen:

image1207×672 61.3 KB

Security Admin page:

image1884×483 39.4 KB

Also, I´m attaching the logs from one of the servers that does not appear C:\Program Files\Elastic\Endpoint\state\log:

{"@timestamp":"2021-07-20T14:55:13.9091759Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":1859,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:1859 Backing up current artifacts to C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\backup-user-artifacts","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9091759Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":611,"name":"File.cpp"}}},"message":"File.cpp:611 Renaming C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\user-artifacts => C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\backup-user-artifacts","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9091759Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":1874,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:1874 Installing new artifacts to C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\user-artifacts","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9091759Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":611,"name":"File.cpp"}}},"message":"File.cpp:611 Renaming C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\tmp-user-artifacts => C:\\Program Files\\Elastic\\Endpoint\\cache\\artifacts\\user-artifacts","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9099338Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":1877,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:1877 New artifacts installed successfully","process":{"pid":6344,"thread":{"id":6452}}}
{"@timestamp":"2021-07-20T14:55:13.9149361Z","agent":{"id":"f81ff186-b7ee-e1b2-e1b4-9dfa3ae8a955","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":371,"name":"Response.cpp"}}},"message":"Response.cpp:371 Policy action download_user_artifacts: success - Successfully downloaded user artifacts","process":{"pid":6344,"thread":{"id":6452}}}

Thanks in advance

@francescouk

Can you verify that the servers you are not seeing in the Admin page are streaming successfully to ES?

You can do this through the UI by going to "Analytics > Discover". In the search bar enter query like this host.name : "<missing-hostname>" and agent.type : "endpoint" and see if there are some recent docs for one of your missing Endpoint hostnames.

You should seem something like this if you have relevant docs:

image2878×1576 469 KB

If there are docs streaming for the one of the missing hostnames, you can try the following:

The Administration page requires that an ES transform runs in the background. It should have been installed for you - can you verify that you have a transform named similarly to endpoint.metadata_current-default-<version>?

You can do this in the UI by navigating to "Stack Management > Transforms"

You should see something like this:

image2880×1574 307 KB

If by chance there is a Transform and it's stopped, you can start it like this:

image2880×1582 342 KB

After the transform starts and a few minutes pass, you should see data in the Administration page.

Let me know if that helps.

Hello there!

I would like to thank you for the help. Indeed the endpoint.metada was stopped. As soon as I started, all the others show up on the security administration page.

Really appreciate for the best advice.

Best regards,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.