I have installed Elastic Agent (enrolled with fleet and healthy) and Endpoint Security on a couple of hosts. All seems to work, except I am missing host events in the overview. There are events, but the messages don't seem right and there is no event.module (the column is missing in pic 2). What did I do wrong?
I am using elastic 8.2.2, the agent is installed only on windows hosts (windows 10 and server 2019). I can confirm that elastic endpoint is installed, because there is a folder in the Elastic directory, although I would expect at least events from Elastic Agent show up.
The default output is pointing to the correct es instances.
Hi @shellcode . Those messages you screenshotted (thanks!) are Endpoint log messages. They're saved to the local disk by Endpoint and then written into Elasticsearch by Filebeat. Your screenshot shows that Agent/Filebeat.Endpoint are running on the host and Filebeat is able to write to Elasticsearch (since you're seeing that data!). I also see that Endpoint seems to be writing data it is collecting into Elasticsearch (via the log Sent 28 documents to Elasticsearch).
Do you see any documents from the host with event.module=endpoint in any logs-* (Endpoint' collected events and alerts) or metrics-* (Endpoint state management documents) indices? Those documents would be ones written by Endpoint itself. From the information you've shared I expect you'll see data in those indices if you search via Discover or Dev Tools. Also you should see Endpoint data in the Security App in Kibana, it seems you might be using in the Observability App so far?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
