No Elastic Security Events but Agents status is "green"

Hallo,

after updaten from 7.13 to 7.14 the logging of the elastic security events is now longer working. The status of the agent is still "green".

If I query the logs I get the following error:

GET 	.ds-logs-elastic_agent.endpoint*/_search
{
    "size": 2,
        "sort" : [
        {"@timestamp" : "desc"}
    ]
}

I removed some data from the response.

...
          },
          "message" : """Client.cpp:568 Failed to create in index (logs-endpoint.events.security-default) json ({"@timestamp":"2021-09-21T13:24:06.400502Z","agent":{"id":"ea171059-203b-4fee-a76b-12b1dfea4da7","type":"endpoint","version":"7.14.1"},"data_stream":{"dataset":"endpoint.events.security","namespace":"default","type":"logs"},"ecs":{"version":"1.6.0"},"elastic":{"agent":{"id":"ea171059-203b-4fee-a76b-12b1dfea4da7"}},"event":{"category":[],"created":"2021-09-21T13:24:06.400502Z","dataset":"endpoint.events.security","id":"MIDfj82KQs+oDghK++++B5fl","kind":"event","module":"endpoint","sequence":2268175,"type":[]},"host":{"architecture":"x86_64","hostname":"REMOVED","id":"9c33c8b0-2f8a-4e20-a823-3fa73429a1b5","ip":["192.168.4.17","127.0.0.1","::1"],"mac":["00:50:56:bf:1a:17"],"name":"AdminCon1-G1","os":{"Ext":{"variant":"Windows 10 Pro"},"family":"windows","full":"Windows 10 Pro 2009 (10.0.19042.1237)","kernel":"2009 (10.0.19042.1237)","name":"Windows","platform":"windows","version":"2009 (10.0.19042.1237)"}},"message":"Endpoint security event","process":{"Ext":{"ancestry":["ZWExNzEwNTktMj... ","executable":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","name":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"},"user":{"domain":"REMOVED","id":"REMOVED","name":"REMOVED"}}) reason (action [indices:data/write/bulk[s]] is unauthorized for API key id [uO-47XsBKgii28dJYKMV] of user [elastic/fleet-server] on indices [.ds-logs-endpoint.events.security-default-000006,.ds-logs-endpoint.events.security-default-000005,logs-endpoint.events.security-default,.ds-logs-endpoint.events.security-default-2021.07.28-000008,.ds-logs-endpoint.events.security-default-2021.05.29-000007], this action is granted by the index privileges [create_doc,create,delete,index,write,all]) status (403)""",
          "data_stream" : {
            "namespace" : "default",
            "type" : "logs",
            "dataset" : "elastic_agent.endpoint_security"
...

It looks like a permission problem but I can't fine the user [elastic/fleet-server] in the Kibana GUI . The API Keys appears in the Kibana GUI.
Also I cannot find documentation on this toppic.

Thank you
El!

The elastic/fleet-server user is a built-in service account. An API key for the Elasticsearch output in Elastic Agent is issued by that account. The fleet-server is supposed to tailor the privileges of that API key based on policy applied to that agent (this way the API key has the least privileges possible).

I'm not sure what went wrong, but perhaps you can try to create a new policy that contains Endpoint and apply the new policy to this agent. Maybe this will trigger an updated API key to be used that has the proper privileges.

Thank you for the solution.

Deleting the Endpoint-Security Integration vom the policy and adding a new one fixed the problem.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.