MacOS agents are unhealthy due to Defend Endpoint

Hello everyone,

I have a problem with all my MacOS agents. As you can see below, the Agent itself was enrolled successfully and is sending logs, however, the Defend integration gives the error you see in the screenshot.

Screenshot from 2025-06-30 10-11-521553×786 93 KB

I have enabled all the permissions on the Macbooks; login items, full disk access, etc.
I have also tried to add the ca certificate to the Macbooks keychain but it didn't seem to solve anything (maybe I did it wrong?)

The agent and the whole elastic cluster is on version 8.18.1
The agent was installed with this command:

curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.18.1-darwin-aarch64.tar.gz
tar xzvf elastic-agent-8.18.1-darwin-aarch64.tar.gz
cd elastic-agent-8.18.1-darwin-aarch64
sudo ./elastic-agent install --url=https://fleetserver:8220 --enrollment-token=<enrollment_token> --insecure

Thanks in advance for your help!

According to the error the problem is with output. I'd recommend using Endpoint self diagnostics test output, as described on

I ran the command sudo /Library/Elastic/Endpoint/elastic-endpoint test output and got the following output:

Elastic Endpoint 8.18.1 
www.elastic.co

Testing connections

Failed to retrieve proxy configuration from ElasticEndpoint daemon 
Help: Check if ElasticEndpoint daemon is running

I tried restarting the ElasticEndpoint daemon and running the above command again but I get the same error.

could you try any other command, for example status or inspect ?

If there's only problem with retrieving the proxy configuration, then could you DM me or post publicly log from

sudo /Library/Elastic/Endpoint/elastic-endpoint test output --log stdout --log-level debug

I get this when I run the status command:

Failure sending Endpoint status message. Send status: I/O error. Command Status: Undefined error

Output of the last command you sent:

Elastic Endpoint 8.18.1
www.elastic.co

Testing connections

2025-07-02 14:17:39: debug: Socket.cpp:512 path.size() 65 -- sizeof(path) 1022
2025-07-02 14:17:39: debug: Socket.cpp:547 Path (not including first NULL, if present): /Library/Elastic/Endpoint/cache/ElasticEndpointServiceCommsSocket
2025-07-02 14:17:39: debug: Socket.cpp:1013 Proto is Unix
2025-07-02 14:17:39: debug: Socket.cpp:512 path.size() 65 -- sizeof(path) 1022
2025-07-02 14:17:39: debug: Socket.cpp:547 Path (not including first NULL, if present): /Library/Elastic/Endpoint/cache/ElasticEndpointServiceCommsSocket
2025-07-02 14:17:39: debug: VaultLib.cpp:207 Vault initialized with existing seed file
2025-07-02 14:17:39: debug: VaultLib.cpp:614 Successfully read vault key: config
2025-07-02 14:17:39: debug: ECSUtilities.cpp:497 Tamper protection disabled
2025-07-02 14:17:39: debug: Proxy.cpp:68 No proxy configured
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].data_stream.namespace) found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.alerts.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.alerts.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.alerts.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.action_response.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.action_response.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.action_response.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.diagnostic.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.diagnostic.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.diagnostic.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.file.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.file.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.file.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.network.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.network.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.network.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.process.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.process.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.process.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.library.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.library.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.library.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.security.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.security.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.security.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.volume_device.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.volume_device.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.volume_device.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.metadata.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.metadata.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.metadata.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.policy.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.policy.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.policy.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.metrics.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.metrics.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.metrics.namespace) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.heartbeat.type) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.heartbeat.dataset) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.data_stream.heartbeat.namespace) not found in config
2025-07-02 14:17:39: debug: TlsConfig.cpp:178 Appending system certs
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.ssl.verification_mode) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:110 field (output.elasticsearch.ssl.ca_trusted_fingerprint) found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.ssl.key) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.ssl.key_passphrase) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.ssl.certificate) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.ssl.ca_sha256) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.proxy_disable) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.proxy_url) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (global.mac.limits.max_elasticsearch_response_size) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.serverless) found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.protocol) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:110 field (output.elasticsearch.hosts[0]) found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:110 field (output.elasticsearch.hosts[1]) found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:110 field (output.elasticsearch.hosts[2]) found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.username) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.password) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:110 field (output.elasticsearch.api_key) found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.bulk_max_size) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.elasticsearch.delay) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (output.elasticsearch.timeout) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.elasticsearch.tls.verify_peer) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.elasticsearch.tls.verify_hostname) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.elasticsearch.tls.ca_cert) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (queue.mem.events) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (queue.mem.flush.min_events) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (queue.mem.flush.timeout) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (diagnostic.mac.alerts.rate.max_rate) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (diagnostic.mac.alerts.rate.combined_limit) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (diagnostic.mac.alerts.rate.max_burst_per_event_code) not found in config
2025-07-02 14:17:39: debug: PolicyTlsConfig.cpp:100 field (diagnostic.mac.alerts.rate.max_burst_per_rule_id) not found in config
2025-07-02 14:17:39: info: Response.cpp:414 Policy action configure_output: success - Successfully read output configuration
2025-07-02 14:17:39: info: PolicyComms.cpp:961 Read Elasticsearch config:
2025-07-02 14:17:39: info: PolicyComms.cpp:964     Host[0] : https://[elasticsearch_ipv6]:9200
2025-07-02 14:17:39: info: PolicyComms.cpp:964     Host[1] : https://elasticsearch_other_address:9200
2025-07-02 14:17:39: info: PolicyComms.cpp:964     Host[2] : https://127.0.0.1:9200
2025-07-02 14:17:39: info: PolicyComms.cpp:966   Username                 : 
2025-07-02 14:17:39: info: PolicyComms.cpp:967   Send Delay               : 30
2025-07-02 14:17:39: info: PolicyComms.cpp:968   Bulk Max Size:           : 400
2025-07-02 14:17:39: info: PolicyComms.cpp:969   TLS:
2025-07-02 14:17:39: info: TlsConfig.cpp:210     Verify TLS Peer          : yes
2025-07-02 14:17:39: info: TlsConfig.cpp:211     Verify TLS Peer Hostname : yes
2025-07-02 14:17:39: info: TlsConfig.cpp:212     CA SHA256                : 
2025-07-02 14:17:39: info: PolicyComms.cpp:994     Queue:
2025-07-02 14:17:39: info: PolicyComms.cpp:995       size:                  : 3200
2025-07-02 14:17:39: info: PolicyComms.cpp:996       flush:
2025-07-02 14:17:39: info: PolicyComms.cpp:997         min_events:          : 1600
2025-07-02 14:17:39: info: PolicyComms.cpp:998         timeout:             : 10000 ms
2025-07-02 14:17:39: info: PolicyComms.cpp:1004     Alerts Index             : logs-endpoint.alerts-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1006     Action Response Index    : .logs-endpoint.action.responses-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1007     Diagnostic Index         : .logs-endpoint.diagnostic.collection-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1008     File Events Index        : logs-endpoint.events.file-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1014     Network Events Index     : logs-endpoint.events.network-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1016     Process Events Index     : logs-endpoint.events.process-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1023     Metadata Index           : metrics-endpoint.metadata-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1024     Policy Index             : metrics-endpoint.policy-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1025     Metrics Index            : metrics-endpoint.metrics-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1026     Heartbeat Index          : .logs-endpoint.heartbeat-all
2025-07-02 14:17:39: info: PolicyComms.cpp:1031     Diagnostic Alert Rate    : [ 70 per-code, 10 per-rule, 100 total ] / 3600 seconds
Elasticsearch server: https://[elasticsearch_ipv6]:9200
With proxy: none

2025-07-02 14:17:39: debug: HttpLib.cpp:728 Making HTTP request to Elasticsearch without a proxy
2025-07-02 14:17:39: debug: HttpLib.cpp:900 Adding 160 CA certificates
2025-07-02 14:17:39: debug: HttpLib.cpp:939 Removing SNI from no connection? https://[elasticsearch_ipv6]:9200?pretty
2025-07-02 14:17:39: debug: HttpLib.cpp:1072 Establishing GET connection to [https://[elasticsearch_ipv6]:9200?pretty]
2025-07-02 14:17:39: error: MessageHelpers.cpp:313 CURL error: Could not resolve hostname [Could not resolve host: 2a0b:880:5:3801::252]
2025-07-02 14:17:39: info: Proxy.cpp:253 Proxy enumeration for test output
2025-07-02 14:17:39: info: Proxy.cpp:324 Reset proxy enumeration for test output
	Status: Could not resolve hostname [Could not resolve host: 2a0b:880:5:3801::252]

2025-07-02 14:17:39: info: Proxy.cpp:253 Proxy enumeration for test output
Elasticsearch server: https://elasticsearch_other_address:9200
With proxy: none

2025-07-02 14:17:39: debug: HttpLib.cpp:728 Making HTTP request to Elasticsearch without a proxy
2025-07-02 14:17:39: debug: HttpLib.cpp:900 Adding 160 CA certificates
2025-07-02 14:17:39: debug: HttpLib.cpp:939 Removing SNI from no connection? https://elasticsearch_other_address:9200?pretty
2025-07-02 14:17:39: debug: HttpLib.cpp:1072 Establishing GET connection to [https://elasticsearch_other_address:9200?pretty]
2025-07-02 14:18:39: error: MessageHelpers.cpp:313 CURL error: Timeout was reached [Connection timed out after 60002 milliseconds]
2025-07-02 14:18:39: info: Proxy.cpp:253 Proxy enumeration for test output
2025-07-02 14:18:39: info: Proxy.cpp:324 Reset proxy enumeration for test output
	Status: Timeout was reached [Connection timed out after 60002 milliseconds]

2025-07-02 14:18:39: info: Proxy.cpp:253 Proxy enumeration for test output
Elasticsearch server: https://127.0.0.1:9200
With proxy: none

2025-07-02 14:18:39: debug: HttpLib.cpp:728 Making HTTP request to Elasticsearch without a proxy
2025-07-02 14:18:39: debug: HttpLib.cpp:900 Adding 160 CA certificates
2025-07-02 14:18:39: debug: HttpLib.cpp:939 Removing SNI from no connection? https://127.0.0.1:9200?pretty
2025-07-02 14:18:39: debug: HttpLib.cpp:1072 Establishing GET connection to [https://127.0.0.1:9200?pretty]
2025-07-02 14:18:39: error: MessageHelpers.cpp:313 CURL error: Could not connect to server [Failed to connect to 127.0.0.1 port 9200 after 0 ms: Could not connect to server]
2025-07-02 14:18:39: info: Proxy.cpp:253 Proxy enumeration for test output
2025-07-02 14:18:39: info: Proxy.cpp:324 Reset proxy enumeration for test output
	Status: Could not connect to server [Failed to connect to 127.0.0.1 port 9200 after 0 ms: Could not connect to server]
	Help: Make sure the server address is correct and that hosts can connect to it

2025-07-02 14:18:39: info: Proxy.cpp:253 Proxy enumeration for test output
2025-07-02 14:18:39: error: PolicyConfig.cpp:1410 Global configuration artifact is not available
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].name) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].id) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (revision) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].revision) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.agent.id) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.host.id) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.allow_cloud_features) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.global_telemetry_enabled) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.set_extended_host_information) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.agent.connection_delay) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.protocol) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.path) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.hosts[0]) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.hosts[1]) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.access_api_key) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.ssl.verification_mode) found in config
2025-07-02 14:18:39: warning: PolicyTlsConfig.cpp:56 TLS peer and hostname verification disabled
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.ca_trusted_fingerprint) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.key) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.key_passphrase) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.certificate) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.ca_sha256) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.proxy_disable) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.proxy_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.ca_cert) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (global.mac.limits.max_artifact_download_size) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.base_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.global_manifest_version) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.manifest_relative_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.ca_cert) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.channel) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.proxy_disable) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.proxy_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.public_key) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.interval) not found in config
2025-07-02 14:18:39: info: PolicyConfig.cpp:416 Read global artifacts manifest config:
2025-07-02 14:18:39: info: PolicyConfig.cpp:419     Base URL[0]:                https://artifacts.security.elastic.co
2025-07-02 14:18:39: info: PolicyConfig.cpp:421     Manifest Relative URL:   /downloads/endpoint/manifest/artifacts-8.18.1.zip
2025-07-02 14:18:39: info: PolicyConfig.cpp:423     Manifest Public Key Set: false
2025-07-02 14:18:39: info: PolicyConfig.cpp:424     API Key Set:             false
2025-07-02 14:18:39: debug: PolicyConfig.cpp:425     Max artifact download size: 524288000
2025-07-02 14:18:39: info: PolicyConfig.cpp:428     Channel:   default
2025-07-02 14:18:39: debug: PolicyConfig.cpp:430     Default configuration: true
2025-07-02 14:18:39: info: TlsConfig.cpp:210     Verify TLS Peer          : yes
2025-07-02 14:18:39: info: TlsConfig.cpp:211     Verify TLS Peer Hostname : no
2025-07-02 14:18:39: info: TlsConfig.cpp:212     CA SHA256                : 
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.protocol) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.path) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.hosts[0]) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.hosts[1]) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.access_api_key) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.ssl.verification_mode) found in config
2025-07-02 14:18:39: warning: PolicyTlsConfig.cpp:56 TLS peer and hostname verification disabled
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.ca_trusted_fingerprint) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.key) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.key_passphrase) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.certificate) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.ca_sha256) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.proxy_disable) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.proxy_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.ca_cert) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (global.mac.limits.max_artifact_download_size) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.proxy_disable) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.proxy_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.public_key) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.interval) not found in config
2025-07-02 14:18:39: info: PolicyConfig.cpp:416 Read user artifacts manifest config:
2025-07-02 14:18:39: info: PolicyConfig.cpp:419     Base URL[0]:                https://elasticsearch_address:8220
2025-07-02 14:18:39: info: PolicyConfig.cpp:419     Base URL[1]:                https://elasticsearch_other_address:8220
2025-07-02 14:18:39: info: PolicyConfig.cpp:421     Manifest Relative URL:   
2025-07-02 14:18:39: info: PolicyConfig.cpp:423     Manifest Public Key Set: false
2025-07-02 14:18:39: info: PolicyConfig.cpp:424     API Key Set:             true
2025-07-02 14:18:39: debug: PolicyConfig.cpp:425     Max artifact download size: 524288000
2025-07-02 14:18:39: info: TlsConfig.cpp:210     Verify TLS Peer          : no
2025-07-02 14:18:39: info: TlsConfig.cpp:211     Verify TLS Peer Hostname : no
2025-07-02 14:18:39: info: TlsConfig.cpp:212     CA SHA256                : 
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].artifact_manifest) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.alerts.require_user_artifacts) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.event_filter.default) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.license) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.cloud) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.license_uuid) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.cluster_uuid) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.cluster_name) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.billable) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.serverless) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.document_enrichment.fields) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.diagnostic.enabled) not found in config
2025-07-02 14:18:39: info: PolicyConfig.cpp:1814 Read policy config:
2025-07-02 14:18:39: info: PolicyConfig.cpp:1815     Name:                    Mac-WS Defend
2025-07-02 14:18:39: info: PolicyConfig.cpp:1816     Policy ID:               22023c9d-9bd2-49d7-9f8d-f976844fe2a8
2025-07-02 14:18:39: info: PolicyConfig.cpp:1817     Agent ID:                df3a474e-5e7e-4981-8c45-ac162c86baab
2025-07-02 14:18:39: info: PolicyConfig.cpp:1818     Version:                 6
2025-07-02 14:18:39: info: PolicyConfig.cpp:1819     User Artifacts:          true
2025-07-02 14:18:39: info: PolicyConfig.cpp:1820     License:                 platinum
2025-07-02 14:18:39: info: PolicyConfig.cpp:1821     Cloud:                   false
2025-07-02 14:18:39: info: PolicyConfig.cpp:1822     Serverless:              false
2025-07-02 14:18:39: info: Proxy.cpp:183  Global manifest override proxy URL: not set
2025-07-02 14:18:39: info: Proxy.cpp:183  User manifest override proxy URL: not set
2025-07-02 14:18:39: info: Proxy.cpp:183  Fleet proxy URL: not set
2025-07-02 14:18:39: info: Proxy.cpp:183  Output proxy URL: not set
2025-07-02 14:18:39: info: Proxy.cpp:183  Endpoint environment proxy URL: not set
2025-07-02 14:18:39: info: Response.cpp:414 Policy action load_config: success - Successfully parsed configuration
Global artifact server: https://artifacts.security.elastic.co
With proxy: none

2025-07-02 14:18:39: debug: HttpLib.cpp:728 Making HTTP request without a proxy
2025-07-02 14:18:39: debug: HttpLib.cpp:884 Not verifying SSL hostname for [https://artifacts.security.elastic.co/downloads/endpoint/manifest/artifacts-8.18.1.zip]
2025-07-02 14:18:39: debug: HttpLib.cpp:900 Adding 160 CA certificates
2025-07-02 14:18:39: debug: HttpLib.cpp:939 Removing SNI from no connection? https://artifacts.security.elastic.co/downloads/endpoint/manifest/artifacts-8.18.1.zip
2025-07-02 14:18:39: debug: HttpLib.cpp:1072 Establishing GET connection to [https://artifacts.security.elastic.co/downloads/endpoint/manifest/artifacts-8.18.1.zip]
2025-07-02 14:18:39: debug: MessageHelpers.cpp:307 CURL error: No error 
2025-07-02 14:18:39: debug: MessageHelpers.cpp:320 HTTP code 200: OK
	Status: Success

2025-07-02 14:18:39: info: Proxy.cpp:253 Proxy enumeration for test output
2025-07-02 14:18:39: error: PolicyConfig.cpp:1410 Global configuration artifact is not available
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].name) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].id) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (revision) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].revision) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.agent.id) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.host.id) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.allow_cloud_features) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.global_telemetry_enabled) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.set_extended_host_information) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.agent.connection_delay) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.protocol) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.path) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.hosts[0]) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.hosts[1]) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.access_api_key) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.ssl.verification_mode) found in config
2025-07-02 14:18:39: warning: PolicyTlsConfig.cpp:56 TLS peer and hostname verification disabled
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.ca_trusted_fingerprint) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.key) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.key_passphrase) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.certificate) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.ca_sha256) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.proxy_disable) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.proxy_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.ca_cert) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (global.mac.limits.max_artifact_download_size) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.base_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.global_manifest_version) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.manifest_relative_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.ca_cert) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.channel) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.proxy_disable) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.proxy_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.public_key) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.global.interval) not found in config
2025-07-02 14:18:39: info: PolicyConfig.cpp:416 Read global artifacts manifest config:
2025-07-02 14:18:39: info: PolicyConfig.cpp:419     Base URL[0]:                https://artifacts.security.elastic.co
2025-07-02 14:18:39: info: PolicyConfig.cpp:421     Manifest Relative URL:   /downloads/endpoint/manifest/artifacts-8.18.1.zip
2025-07-02 14:18:39: info: PolicyConfig.cpp:423     Manifest Public Key Set: false
2025-07-02 14:18:39: info: PolicyConfig.cpp:424     API Key Set:             false
2025-07-02 14:18:39: debug: PolicyConfig.cpp:425     Max artifact download size: 524288000
2025-07-02 14:18:39: info: PolicyConfig.cpp:428     Channel:   default
2025-07-02 14:18:39: debug: PolicyConfig.cpp:430     Default configuration: true
2025-07-02 14:18:39: info: TlsConfig.cpp:210     Verify TLS Peer          : yes
2025-07-02 14:18:39: info: TlsConfig.cpp:211     Verify TLS Peer Hostname : no
2025-07-02 14:18:39: info: TlsConfig.cpp:212     CA SHA256                : 
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.protocol) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.path) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.hosts[0]) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.hosts[1]) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.access_api_key) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (fleet.ssl.verification_mode) found in config
2025-07-02 14:18:39: warning: PolicyTlsConfig.cpp:56 TLS peer and hostname verification disabled
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.ca_trusted_fingerprint) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.key) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.key_passphrase) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.certificate) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.ssl.ca_sha256) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.proxy_disable) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (fleet.proxy_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.ca_cert) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (global.mac.limits.max_artifact_download_size) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.proxy_disable) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.proxy_url) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.public_key) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.artifacts.user.interval) not found in config
2025-07-02 14:18:39: info: PolicyConfig.cpp:416 Read user artifacts manifest config:
2025-07-02 14:18:39: info: PolicyConfig.cpp:419     Base URL[0]:                https://elasticsearch_address:8220
2025-07-02 14:18:39: info: PolicyConfig.cpp:419     Base URL[1]:                https://elasticsearch_other_address:8220
2025-07-02 14:18:39: info: PolicyConfig.cpp:421     Manifest Relative URL:   
2025-07-02 14:18:39: info: PolicyConfig.cpp:423     Manifest Public Key Set: false
2025-07-02 14:18:39: info: PolicyConfig.cpp:424     API Key Set:             true
2025-07-02 14:18:39: debug: PolicyConfig.cpp:425     Max artifact download size: 524288000
2025-07-02 14:18:39: info: TlsConfig.cpp:210     Verify TLS Peer          : no
2025-07-02 14:18:39: info: TlsConfig.cpp:211     Verify TLS Peer Hostname : no
2025-07-02 14:18:39: info: TlsConfig.cpp:212     CA SHA256                : 
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].artifact_manifest) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.alerts.require_user_artifacts) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.event_filter.default) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.license) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.cloud) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.license_uuid) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.cluster_uuid) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.cluster_name) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.billable) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].policy.meta.serverless) found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.document_enrichment.fields) not found in config
2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:100 field (inputs[0].policy.mac.advanced.diagnostic.enabled) not found in config
2025-07-02 14:18:39: info: PolicyConfig.cpp:1814 Read policy config:
2025-07-02 14:18:39: info: PolicyConfig.cpp:1815     Name:                    Mac-WS Defend
2025-07-02 14:18:39: info: PolicyConfig.cpp:1816     Policy ID:               22023c9d-9bd2-49d7-9f8d-f976844fe2a8
2025-07-02 14:18:39: info: PolicyConfig.cpp:1817     Agent ID:                df3a474e-5e7e-4981-8c45-ac162c86baab
2025-07-02 14:18:39: info: PolicyConfig.cpp:1818     Version:                 6
2025-07-02 14:18:39: info: PolicyConfig.cpp:1819     User Artifacts:          true
2025-07-02 14:18:39: info: PolicyConfig.cpp:1820     License:                 platinum
2025-07-02 14:18:39: info: PolicyConfig.cpp:1821     Cloud:                   false
2025-07-02 14:18:39: info: PolicyConfig.cpp:1822     Serverless:              false
2025-07-02 14:18:39: info: Proxy.cpp:183  Global manifest override proxy URL: not set
2025-07-02 14:18:39: info: Proxy.cpp:183  User manifest override proxy URL: not set
2025-07-02 14:18:39: info: Proxy.cpp:183  Fleet proxy URL: not set
2025-07-02 14:18:39: info: Proxy.cpp:183  Output proxy URL: not set
2025-07-02 14:18:39: info: Proxy.cpp:183  Endpoint environment proxy URL: not set
2025-07-02 14:18:39: info: Response.cpp:414 Policy action load_config: success - Successfully parsed configuration
Fleet server: https://elasticsearch_address:8220
With proxy: none

2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].artifact_manifest.artifacts) found in config
2025-07-02 14:18:39: debug: HttpLib.cpp:728 Making HTTP request without a proxy
2025-07-02 14:18:39: debug: HttpLib.cpp:873 Not verifying SSL CA for [https://elasticsearch_address:8220/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658]
2025-07-02 14:18:39: debug: HttpLib.cpp:884 Not verifying SSL hostname for [https://elasticsearch_address:8220/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658]
2025-07-02 14:18:39: debug: HttpLib.cpp:1072 Establishing GET connection to [https://elasticsearch_address:8220/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658]
2025-07-02 14:18:39: error: MessageHelpers.cpp:313 CURL error: Could not resolve hostname [Could not resolve host: elasticsearch_address]
2025-07-02 14:18:39: info: Proxy.cpp:253 Proxy enumeration for test output
2025-07-02 14:18:39: info: Proxy.cpp:324 Reset proxy enumeration for test output
	Status: Could not resolve hostname [Could not resolve host: elasticsearch_address]

2025-07-02 14:18:39: info: Proxy.cpp:253 Proxy enumeration for test output
Fleet server: https://elasticsearch_other_address:8220
With proxy: none

2025-07-02 14:18:39: debug: PolicyTlsConfig.cpp:110 field (inputs[0].artifact_manifest.artifacts) found in config
2025-07-02 14:18:39: debug: HttpLib.cpp:728 Making HTTP request without a proxy
2025-07-02 14:18:39: debug: HttpLib.cpp:873 Not verifying SSL CA for [https://elasticsearch_other_address:8220/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658]
2025-07-02 14:18:39: debug: HttpLib.cpp:884 Not verifying SSL hostname for [https://elasticsearch_other_address:8220/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658]
2025-07-02 14:18:39: debug: HttpLib.cpp:1072 Establishing GET connection to [https://elasticsearch_other_address:8220/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658]
2025-07-02 14:19:54: error: MessageHelpers.cpp:313 CURL error: Timeout was reached [Failed to connect to elasticsearch_other_address port 8220 after 75002 ms: Could not connect to server]
2025-07-02 14:19:54: info: Proxy.cpp:253 Proxy enumeration for test output
2025-07-02 14:19:54: info: Proxy.cpp:324 Reset proxy enumeration for test output
	Status: Timeout was reached [Failed to connect to elasticsearch_other_address port 8220 after 75002 ms: Could not connect to server]

2025-07-02 14:19:54: info: Proxy.cpp:253 Proxy enumeration for test output

Also, I have a linux laptop on the same network as this macbooks and everything works fine so probably not a network/firewall problem.

The log from test output actually doesn't exhibit the problem with obtaining proxy information for the daemon.

With debug logs filtered out:

Elastic Endpoint 8.18.1
www.elastic.co

Testing connections

Elasticsearch server: https://[elasticsearch_ipv6]:9200
With proxy: none

	Status: Could not resolve hostname [Could not resolve host: 2a0b:880:5:3801::252]

Elasticsearch server: https://elasticsearch_other_address:9200
With proxy: none

	Status: Timeout was reached [Connection timed out after 60002 milliseconds]

Elasticsearch server: https://127.0.0.1:9200
With proxy: none

	Status: Could not connect to server [Failed to connect to 127.0.0.1 port 9200 after 0 ms: Could not connect to server]
	Help: Make sure the server address is correct and that hosts can connect to it

Global artifact server: https://artifacts.security.elastic.co
With proxy: none

	Status: Success

Fleet server: https://elasticsearch_address:8220
With proxy: none

	Status: Could not resolve hostname [Could not resolve host: elasticsearch_address]

Fleet server: https://elasticsearch_other_address:8220
With proxy: none

	Status: Timeout was reached [Failed to connect to elasticsearch_other_address port 8220 after 75002 ms: Could not connect to server]

The output and fleet URLs looks bad, and the output provides a meaningful hint. If you believe these URLs should be valid (perhaps overriden host fiile?) try them if they resolve with other tools like nslookup https://elasticsearch_other_address:8220

You can verify the Endpoint config with inspect command. Further you can verify the aggregated config at Agent side Elastic Agent command reference | Fleet and Elastic Agent Guide [8.18] | Elastic

In good working situation both configs should be in sync, as the role of Elastic Agent is to forward Elastic Endpoint specific portion to the Endpoint service. However it's possible to see them off sync, when the communication between Agent and Endpoint is broken, or when the Agent config file is broken, etc. In such situation we need to look at the logs from both services in the diagnostic package gathered by diagnostics Agent command.

Regarding the IO error. If you run elastic-endpoint help command, or check the web reference, you'll see that the additional logging options can be applied to any command. If you experience the IO error very often then it should be possible to capture the logs from an IO error case, whether it's test output or status command.

I don´t see what that has to do with it since, like I said, my other machines in the same network that have the same config have no problem. It's only the macos machines that have this problem. I have this problem on all macos machines, all the linux servers and laptops don't have the issue.

Can you paste then the console output from elastic-endpoint test output from some linux and windows machine?

Are you sure you've got the same policy?

Was the log you posted above redacted, but the real one was having all URLs valid? Are they resolve to IPv4 or IPv6?

Here is the output from a Linux laptop with the same Policy:

Elastic Endpoint 8.18.1
www.elastic.co

Testing connections

Elasticsearch server: https://[elasticsearch_ipv6]:9200
With proxy: none

	Status: Success

Elasticsearch server: https://elasticsearch_other_address:9200
With proxy: none

	Status: Success

Elasticsearch server: https://127.0.0.1:9200
With proxy: none

	Status: Could not connect to server [Failed to connect to 127.0.0.1 port 9200 after 0 ms: Could not connect to server]
	Help: Make sure the server address is correct and that hosts can connect to it

Global artifact server: https://artifacts.security.elastic.co
With proxy: none

	Status: Success

Fleet server: https://elasticsearch_address:8220
With proxy: none

	Status: Success

Fleet server: https://elasticsearch_other_address:8220
With proxy: none

	Status: Success

These:
elasticsearch_address
elasticsearch_other_address
elasticsearch_ipv6
Are placeholders for the real server adresses, I didn't want to post the real ones.

Gocha, so I jumped to wrong conclusion in my first response.

However, my recommendation stays the same, please use other tools to lear more why the URLs are not accessible on macOS.

For example, Elastic search replies with status message when hit by HTTP GET request:

curl https://[elasticsearch_ipv6]:9200

append -v to learn more in case of a failure

curl -v https://[elasticsearch_ipv6]:9200

If you get the Elasticsearch response, but elastic-endpoint test output keeps saying "Could not resolve host" let me know, I'll send you a DM with a link to upload more diagnostics.

No worries

I test the curl commands on both the linux laptop and macbook and got two different results.

On the linux it was able to make the connection but says "missing authentication for REST request ..." which seems normal to me.

On the macbook however, it wasn't able to make the connection at all and gave me the following error:

curl: (56) CONNECT tunnel failed, response 403

It looks like you've got issues with your macOS configuration (or maybe even your network infrastructure). Since you confirmed that the address is not reachable by using other tools Endpoint diagnostics won't bring anything new here.

As I suggested in the beginning, I'd start with checking if the URLs resolve to correct IPs. Next I'd look at verbose output from curl -v https://[elasticsearch_ipv6]:9200, or openssl tools openssl s_client -connect https://[elasticsearch_ipv6]:9200

I will look into it.. Thanks for the help so far!