Issues with Elastic Agent

What do you think about this; Elastic agent shows up in SIEM under administration for some servers but not all. Even if they are suing the same config and managed from Fleet. The agent piece working but the endpoint security is not.

[ 3:33 PM ]

I see this error in the ones who are not working: {"@timestamp":"2020-11-24T21:32:22.5816300Z","agent":{"id":"71ed4dc2-1882-4b99-b91c-02a7788f86e4","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"notice","origin":{"file":{"line":65,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:65 Elasticsearch connection is down","process":{"pid":19524,"thread":{"id":21260}}}

From the messages it seems it cannot cannot to ES. Let me ask a few question to narrow down the environment.

What version are you running of the Elastic Agent? And on the problematic host do you see endpoint running?

Yes. It is strange because I have servers on the same network and they are working just fine. The only difference I see if the OS. I am running version 7.9.3 for agent and Elastic and Kibana.

The Endpoint service is running properly and shows up in fleet. The only place it does not show up in is under Administration under SIEM.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.