I am not seeing any logs from elastic-agent from windows hosts

Blason · October 7, 2021, 5:15pm

Hi Team,

Surprisingly my elastic version 7.15 with basic license have installed the fleet server and then configured windows-policy with elastic-endpoint and windows integration. Have enabled all the rules; however I am not seeing any logs security app.
Have added windows agent on my Domain controller as well as ADC but still not seeing any logs.

Any clue why? Plus I am seeing below logs in kibana.log

{"type":"log","@timestamp":"2021-10-07T22:43:49+05:30","tags":["info","plugins","securitySolution"],"pid":1102,"message":"[+] Finished indexing 0  signals searched between date ranges [\n  {\n    \"to\": \"2021-10-07T17:13:49.667Z\",\n    \"from\": \"2021-10-07T17:04:49.667Z\",\n    \"maxSignals\": 100\n  }\n] name: \"SystemKey Access via Command Line\" id: \"c2c1fbc1-229f-11ec-803f-17c1b2345c64\" rule id: \"d75991f2-b989-419d-b797-ac1e54ec2d61\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T22:43:49+05:30","tags":["error","plugins","securitySolution"],"pid":1102,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Clearing Windows Event Logs\" id: \"c2c1fbd5-229f-11ec-803f-17c1b2345c64\" rule id: \"d331bbe2-6db4-4941-80a5-8270db72eb61\" signals index: \".siem-signals-default\""}

Blason · October 7, 2021, 5:36pm

Here are couple more logs in kibana.log

{"type":"log","@timestamp":"2021-10-07T23:03:37+05:30","tags":["error","plugins","securitySolution"],"pid":1102,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Persistence via TelemetryController Scheduled Task Hijack\" id: \"c2c27112-229f-11ec-803f-17c1b2345c64\" rule id: \"68921d85-d0dc-48b3-865f-43291ca2c4f2\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:03:37+05:30","tags":["error","plugins","securitySolution"],"pid":1102,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Netcat Network Activity\" id: \"c2c1fc01-229f-11ec-803f-17c1b2345c64\" rule id: \"adb961e0-cb74-42a0-af9e-29fc41f88f5f\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:03:37+05:30","tags":["error","plugins","securitySolution"],"pid":1102,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Enable Host Network Discovery via Netsh\" id: \"c2c46cd6-229f-11ec-803f-17c1b2345c64\" rule id: \"8b4f0816-6a65-4630-86a6-c21c179c0d09\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:03:37+05:30","tags":["error","plugins","securitySolution"],"pid":1102,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Installation of Custom Shim Databases\" id: \"c2c2bf10-229f-11ec-803f-17c1b2345c64\" rule id: \"c5ce48a6-7f57-4ee8-9313-3d0024caee10\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:03:37+05:30","tags":["error","plugins","securitySolution"],"pid":1102,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Local Scheduled Task Creation\" id: \"c2c1fc06-229f-11ec-803f-17c1b2345c64\" rule id: \"afcce5ad-65de-4ed2-8516-5e093d3ac99a\" signals index: \".siem-signals-default\""}

Blason · October 7, 2021, 5:53pm

{"type":"log","@timestamp":"2021-10-07T23:21:53+05:30","tags":["error","plugins","securitySolution"],"pid":10188,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Suspicious PrintSpooler Service Executable File Creation\" id: \"c2c2710c-229f-11ec-803f-17c1b2345c64\" rule id: \"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:21:53+05:30","tags":["error","plugins","securitySolution"],"pid":10188,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Unusual File Creation - Alternate Data Stream\" id: \"c2c41eb3-229f-11ec-803f-17c1b2345c64\" rule id: \"71bccb61-e19b-452f-b104-79a60e546a95\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:21:53+05:30","tags":["error","plugins","securitySolution"],"pid":10188,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Persistence via WMI Standard Registry Provider\" id: \"c2c445ba-229f-11ec-803f-17c1b2345c64\" rule id: \"70d12c9c-0dbd-4a1a-bc44-1467502c9cf6\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:21:53+05:30","tags":["error","plugins","securitySolution"],"pid":10188,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Microsoft Exchange Worker Spawning Suspicious Processes\" id: \"c2c445b7-229f-11ec-803f-17c1b2345c64\" rule id: \"f81ee52c-297e-46d9-9205-07e66931df26\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:21:53+05:30","tags":["error","plugins","securitySolution"],"pid":10188,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Persistence via Microsoft Outlook VBA\" id: \"c2c3345f-229f-11ec-803f-17c1b2345c64\" rule id: \"397945f3-d39a-4e6f-8bcb-9656c2031438\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:21:53+05:30","tags":["error","plugins","securitySolution"],"pid":10188,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Persistence via KDE AutoStart Script or Desktop File Modification\" id: \"c2c3f7a8-229f-11ec-803f-17c1b2345c64\" rule id: \"e3e904b3-0a8e-4e68-86a8-977a163e21d3\" signals index: \".siem-signals-default\""}
{"type":"log","@timestamp":"2021-10-07T23:21:53+05:30","tags":["error","plugins","securitySolution"],"pid":10188,"message":"An error occurred during rule execution: message: \"index_not_found_exception: [verification_exception] Reason: Found 1 problem\nline -1:-1: Unknown index [*,-*]\" name: \"Installation of Security Support Provider\" id: \"c2c3344f-229f-11ec-803f-17c1b2345c64\" rule id: \"e86da94d-e54b-4fb5-b96c-cecff87e8787\" signals index: \".siem-signals-default\""}

There are more errors

Blason · October 7, 2021, 6:43pm

Unfortunately I am not finding any clue about those errors and logs are still not appearing in kibana. Can someone please help?

system · November 4, 2021, 6:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.