Issue with Endpoint agent

I finally got everything setup for my stack but the endpoints are generating a

"Failed to download or validate user artifacts error. "

I cant seem to find anything on this. Could anyone point me in the right direction?

Known issue. Do you have some successful and some failed events on the same machine?

Nope every machine it fails on.

Can you look back for the past 24 hours. I get the same thing but it will work every 8 to 12 hours or so.

Its been like it for three days. Doesnt download user artifacts and says the policy failed.

Do you see the Endpoint in the Security App -> Administration tab? My understanding from your comment is that you do.

Can you look in Endpoint's logs? They are located in c:\Program Files\Elastic\Endpoint\state\log\endpoint-*.log (Windows) /Library/Elastic/Endpoint/state/log/endpoint-*.log (macOS) /opt/Elastic/Endpoint/state/log/endpoint-*.log (Linux)

When Endpoint applies its configuration (for instance on start up) it will attempt to download, if needed, the user artifacts (for example alert exceptions) then load them into memory. If it fails to download the artifacts or it fails to extract and use them that message will appear in Kibana. My hunch is there is a network issue preventing Endpoint from downloading the user artifacts.

You should see Failed to download or validate user artifacts in the Endpoint logs, looking above that in the logs should help shed light on what failed. If you're overwhelmed by the logs feel free to share them (be careful to review them to make sure there is no sensitive data in them).


This is likely what he see:

{"@timestamp":"2021-02-07T05:31:52.6586202Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1446,"name":"HttpLib.cpp"}}},"message":"HttpLib.cpp:1446 Establishing HEAD connection to []","process":{"pid":2800,"thread":{"id":5668}}}
{"@timestamp":"2021-02-07T05:31:52.6898733Z","agent":{"id":","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"error","origin":{"file":{"line":38,"name":"Http.cpp"}}},"message":"Http.cpp:38 CURL error 60: Error [SSL certificate problem: unable to get local issuer certificate]","process":{"pid":2800,"thread":{"id":5668}}}
{"@timestamp":"2021-02-07T05:31:52.6898733Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1637,"name":"Artifacts.cpp"}}},"message":"Artifacts.cpp:1637 Checking if installed global artifacts are valid","process":{"pid":2800,"thread":{"id":5668}}}
{"@timestamp":"2021-02-07T05:31:52.6898733Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":1001,"name":"Crypto.cpp"}}},"message":"Crypto.cpp:1001 RSA signature verified","process":{"pid":2800,"thread":{"id":5668}}}
{"@timestamp":"2021-02-07T05:31:54.4793928Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":125,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:125 Agent check-in returned status Success","process":{"pid":2800,"thread":{"id":12848}}}

This wonderful little error lines up with the failed messages on all attempts to get the artifacts from"insert version here". Yet on the machine you test you can get to the site just fine.

If a site has user/machine based web filtering turned on and didn't add the exemption directly for download's I would fully expect this to fail.