Log Rotate Elastic Endpoint Windows

Hello there,

I would like to know if there´s any way to control the logs rotate using fleet admin page?? Or even throught the fleet policies??? I´m getting too many unexpected logs on the C:\Program Files\Elastic\Endpoint\state\log

Follow the log:

{"@timestamp":"2021-07-26T14:14:28.8449374Z","agent":{"id":"0cca963d-e86a-6c86-df91-fad4df8771ec","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"notice","origin":{"file":{"line":508,"name":"Client.cpp"}}},"message":"Client.cpp:508 Failed to create in index (logs-endpoint.events.security-default) json ({\"@timestamp\":\"2021-07-26T14:04:53.2627628Z\",\"agent\":{\"id\":\"0cca963d-e86a-6c86-df91-fad4df8771ec\",\"type\":\"endpoint\",\"version\":\"7.13.2\"},\"data_stream\":{\"dataset\":\"endpoint.events.security\",\"namespace\":\"default\",\"type\":\"logs\"},\"ecs\":{\"version\":\"1.6.0\"},\"elastic\":{\"agent\":{\"id\":\"d06d3c14-773a-4d0c-be12-769e02f5eb0b\"}},\"event\":{\"action\":\"log_off\",\"category\":[\"authentication\",\"session\"],\"created\":\"2021-07-26T14:04:53.2627628Z\",\"dataset\":\"endpoint.events.security\",\"id\":\"MDujwXUhbvCgbB4r+++++i8S\",\"kind\":\"event\",\"module\":\"endpoint\",\"outcome\":\"success\",\"sequence\":185611,\"type\":[\"end\"]},\"host\":{\"architecture\":\"x86_64\",\"hostname\":\"winserver\",\"id\":\"ce1cb622-7a50-4083-8e0c-a92fb203481b\",\"ip\":[\"xx.xx.xx.xx\",\"xx.xx.xx.xx\",\"127.0.0.1\",\"::1\"],":\"winserver\",\"os\":{\"Ext\":{\"variant\":\"Windows Server 2016 Standard\"},\"family\":\"windows\",\"full\":\"Windows Server 2016 Standard 1607 (10.0.14393.3300)\",\"kernel\":\"1607 (10.0.14393.3300)\",\"name\":\"Windows\",\"platform\":\"windows\",\"version\":\"1607 (10.0.14393.3300)\"}},\"message\":\"Endpoint security event\",\"process\":{\"Ext\":{\"ancestry\":[\"MGNjYTk2M2QtZTg2YS02Yzg2LWRmOTEtZmFkNGRmODc3MWVjLTY5Ni0xMzI3MDExNDAxNC45NzYwNDExMDA=\"]},\"entity_id\":\"MGNjYTk2M2QtZTg2YS02Yzg2LWRmOTEtZmFkNGRmODc3MWVjLTgyNC0xMzI3MDExNDAxNi40MzQ3NDc3MDA=\",\"executable\":\"C:\\\\Windows\\\\System32\\\\lsass.exe\"},\"user\":{\"domain\":\"NT AUTHORITY\",\"id\":\"S-1-5-18\",\"name\":\"SYSTEM\"}}) reason (index [.ds-logs-endpoint.events.security-default-2021.07.05-000001] blocked by: [TOO_MANY_REQUESTS/12/disk usage exceeded flood-stage watermark, index has read-only-allow-delete block];) status (429)","process":{"pid":7688,"thread":{"id":13108}}}

It looks like everytime the agent could not connect to elastic server, it creates 25MB log file and keeps creating until the connection is restored. I dunno if this is a method to keep all the info while the connection is down... but anyway, for servers that running low space, would crash easily.

Any help would be much appreciate.

Thanks

Hi @francescouk

What version of Agent are you using? Prior to 7.13 Elastic Endpoint did in fact produce a lot of logs. After that version logging should be a lot lower.

It seems like this thread outlines the same problem you're seeing. A work around to the issue is at the end.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.