How do I troubleshoot elastic agent not sending any logs to siem app

Hi Team,

I have enrolled windows serves through fleet and installed elastic-agent on them with malware-protction enabled in detect mode. However not a single log is being shipped hence wondering how do I troubleshoot the issue? What logs should I refer to?

I see all those under fleet and those shows as Healthy status but no security logs are appearing.

TIA
Blason R

How are your agent policies set up, and what integrations have you enabled?

If you go into an agent that shows healthy, and then go to the logs tab within the agent - do you have any logs there?

Yes the agent shows Healthy and no logs at all. The only integration in Endpoint security and I believe that should collect windows security logs right?

Try enabling the System integration on your agents. That will get you Windows Event logs. You should start to see events when you do that. From there, you can expand your event collection to custom windows event logs to get defender and other events.

Just enabling Endpoint security will pull Elastic EDR logs if there's a detection - but if Windows Defender beats Elastic to the detection, you get a race condition and you would not see any logs.

Dang!! Just a small typo - I made and been troubleshooting for almost 7 days :frowning:
The stupidity I made was in the fleet setting I typed Elasticsearch port was 920 instead of 9200.

Glad you caught it!

1 Like