Host an air-gapped Elastic Endpoint artifact server

I have followed the official guide in the subject does not update the signatures despite creating the ngnix server for the files. How can I solve this?

Hi @devilman85.

On the hosts where Endpoint is running, are you able to download the artifacts from your nginx server using a different tool such as curl?

For example, a test command would look something like this. The key things to look for are HTTP/1.1 200 OK and the ETag.

C:\>curl https://artifacts.security.elastic.co/downloads/endpoint/manifest/artifacts-8.14.2.zip --verbose
* Host artifacts.security.elastic.co:443 was resolved.
* IPv6: (none)
* IPv4: 34.120.127.130
*   Trying 34.120.127.130:443...
* Connected to artifacts.security.elastic.co (34.120.127.130) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET /downloads/endpoint/manifest/artifacts-8.14.2.zip HTTP/1.1
> Host: artifacts.security.elastic.co
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Length: 27264
< Accept-Ranges: bytes
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Via: 1.1 google
< Date: Fri, 26 Jul 2024 19:40:17 GMT
< Cache-Control: public, max-age=60
< Age: 33
< Last-Modified: Fri, 26 Jul 2024 12:02:31 GMT
< ETag: "010364f3bfdcf4c2223716808277ec78"
< Content-Type: binary/octet-stream
< Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failure writing output to destination, passed 2360 returned 4294967295
* Closing connection
* schannel: shutting down SSL/TLS connection with artifacts.security.elastic.co port 443

If you aren't able to reach it, then there's an issue with your network or nginx which you'll first need to debug.

If that's working as expected, then it would be good to check out Endpoint's logs in C:\Program Files\Elastic\Endpoint\state\log. If you're an Elastic customer, the next step would be to send those logs to your support contact at Elastic.

1 Like

But my environment it's full air gapped. I hosting the articifacts and the binary on the Ngnix server. I Download the artefacts from this command on online host:

export ENDPOINT_VERSION=8.14.3 && wget -P downloads/endpoint/manifest https://artifacts.security.elastic.co/downloads/endpoint/manifest/artifacts-$ENDPOINT_VERSION.zip && zcat -q downloads/endpoint/manifest/artifacts-$ENDPOINT_VERSION.zip | jq -r '.artifacts | to_entries | .value.relative_url' | xargs -I@ curl "https://artifacts.security.elastic.co@" --create-dirs -o ".@"

and validate che file from this command:

curl -s https://artifacts.security.elastic.co/downloads/endpoint/manifest/artifacts-8.14.3.zip | zcat -q | jq -r .manifest_version

After updating the Elastic Endpoint configuration to read from the mirror server, use Kibana’s Discover view to search the metrics-* data view for endpoint.policy response documents, then check the installed version (Endpoint.policy.applied.artifacts.global.version ) but I don't see the updating version

Understood. I'm asking you to test whether the host running Endpoint can reach your artifact server and download artifacts therefrom. You would run a curl command on your Endpoint host, replacing artifacts.security.elastic.co with the hostname of your nginx server.

Yes. I replace the artifact link with my ngnix server But in kibana the new version don’t visualize

Thanks. I understand that you're not seeing Endpoint.policy.applied.artifacts.global.version changing in Kibana's discover view for metrics-* with filter event.dataset: "endpoint.policy".

The next step from here is to ensure that the host running Endpoint can successfully form and validate a TLS connection to your artifact server, that the artifacts are in the right location on the server, and that the server is configured correctly. Could you please run this command on the system where Endpoint is running, and paste the output here?

# Run this on the host where Endpoint is running
curl https://YOUR_NGINX_SERVER/downloads/endpoint/manifest/artifacts-8.14.3.zip --verbose

Alternatively, if you can provide Endpoint's logs from C:\Program Files\Elastic\Endpoint\state\log\*.log, we may be able to determine what's going on over here. I created this secure upload link specific to your case.

My ngnix server isn’t in https, it’s the problem?

i solved.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.