Osquery View in Discover issue

Elastic Stack Kibana
1

We are running Elastic-Stack 8.4.2 (All components, inclusive the agents) and started to use Osquery. It is a great technology, however there are some problems we've encountered:

Displaying the Data in Discover with the "View in Discover" Button doesn't work and leads us to the following error. Of course there is the button for displaying the data in full-screen there is a problem with the table width resetting every 5 seconds. "xxx is not a configured data view ID"
image

It looks like this issue exists when doing a query from a different Space in Kibana. However i don't quite get why the request needs to be done from a certain Space in Kibana.

The width of the tables are very limited. Often there is a lot of information retuned but the space is missing on 16:9 dispalys.

image
image1920×838 80.7 KB

Some Queries from the saved query pack take very long and osquerybeat runs into a timeout where Errors are displayed like i/o timeout but they don't say very much about the state of the query. Furthermore, parallel requests are not possible because the server is busy with the first osquerybeat request

Happy to provide more feedback and glad if there is help for some of the encountered issues.

2

Hey @matled, Sorry for the delayed response.

We are working currently on better support for Kibana spaces, in the meantime, I can suggest you copy/share logs-osquery_manager.result* data view with the spaces where you want to be able to use osquery.

In terms of table width, have you tried maybe full screen option available in the right-top corner of the Results tab?

Could you provide us more information on which queries exactly take a very long time to run?

Please let me know if I can help you

3

Hi @patrykkopycinski

Many thanks for the suggestion with the data view, this works fine. I'm sure this can be implemented to be accessible by all Kibana spaces by default. But yes I did not think about this trivial solution thx.

The full screen option works yes but somehow if we have so much space available on the side there might be an option to extend the result table? Not sure if this compromises some design aspects of the UI but it would be a good relief for users not needing to click on a further button.

However, this is not so important compared to the basic functionality of osquerybeat. I want to push osquerybeat into production and do have a variety of systems to test on. However, it seems as it is one year after my first test run still not stable enough.

The queries that are the most troublesome are the ones that require hashing and recursive file system requests. There the queries take a very long time and osquery generates high cpu. We've encountered many issues when running osquerybeat on Windows Server 2012R2 (Timeout, Agent changes to state Error, etc.).

Query with issues

  • query can take long time this is ok
  • queries that take up lots of time, often break osquerybeat and lead to 'unhealthy' state in fleet. Some recover, others not. In 2021 there was an issue that the osquerybeat process still was stuck after uninstalling/upgrading the elastic-agent.
SELECT datetime(btime, 'unixepoch', 'UTC') as CreationTimeUTC, datetime(mtime, 'unixepoch', 'UTC') as ModificationTimeUTC,
    concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, filename, issuer_name, original_program_name, file.path,
    result, size, subject_name, uid, sha1 FROM file
JOIN authenticode ON file.path = authenticode.path
JOIN hash ON file.path = hash.path
WHERE (file.directory == 'C:\Windows\Temp\' OR file.directory LIKE 'C:\Users\%\AppData\Local\Temp\' OR
file.directory LIKE 'C:\Users\%\AppData\Local\Temp\%\' OR file.directory LIKE 'C:\Users\%\AppData\Local\Temp\%\%\') AND
(file.filename LIKE '%.dll' OR file.filename LIKE '%.exe' OR file.filename LIKE '%.sys')

seems they fail differently

image
image2396×1058 147 KB

Other short and simple queries just run fine like

SELECT * FROM users;

But it seems as osquerybeat does habe issues on some OS Versions to run properly. Not saying it's osquery but I'm almost sure I'm not the only one having some flaky experience with it.

Some days later i've upgraded some other integrations like system but it seems as the osquerybeat (and even metricbeat) agents still have issues. The following two logfiles show the state of the agents from fleet. I've replaced sensitive Information like IP or Hostname. Note: We are using custom Agent Binary Download with an internal Repository Server (works fine)

1. Windows Server 2012R2 with Elatic Agent and osquerybeat 8.4.3 log level Info


20:23:56.049 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:56.065 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] add_cloud_metadata: hosting provider type not detected.
20:23:56.249 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:23:56.249 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:56.454 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:23:56.455 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:56.650 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:23:56.650 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:56.867 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:23:56.867 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:57.066 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:23:57.066 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:57.293 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:23:57.293 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:57.464 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:23:57.465 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:57.665 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:23:57.665 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\\\.\\pipe\\elastic\\osquery\\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.\n"
20:23:57.879 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] osquery client is connected
20:23:57.879 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] runOsquery context cancelled, exiting
20:23:59.460 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] osqueryd process exited
20:23:59.460 elastic_agent.osquerybeat [elastic_agent.osquerybeat][error] runOsquery exited with error: dialing pipe '\\.\pipe\elastic\osquery\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\.\pipe\elastic\osquery\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.
20:23:59.460 elastic_agent.osquerybeat [elastic_agent.osquerybeat][error] runOsquery exited with error: dialing pipe '\\.\pipe\elastic\osquery\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\.\pipe\elastic\osquery\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.
20:23:59.460 elastic_agent.osquerybeat [elastic_agent.osquerybeat][error] Failed to run osquery:dialing pipe '\\.\pipe\elastic\osquery\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\.\pipe\elastic\osquery\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.
20:23:59.460 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] osquerybeat context cancelled, exiting
20:23:59.460 elastic_agent.osquerybeat [elastic_agent.osquerybeat][error] osquerybeat Run exited with error: dialing pipe '\\.\pipe\elastic\osquery\b5c7f251-54e2-4b69-b77e-345275fe5a77': open \\.\pipe\elastic\osquery\b5c7f251-54e2-4b69-b77e-345275fe5a77: The system cannot find the file specified.
20:23:59.460 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Stopping fleet management service
20:24:02.867 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:24:24.608 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Non-zero metrics in the last 30s
20:24:32.797 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:24:54.658 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Non-zero metrics in the last 30s
20:24:58.916 elastic_agent [elastic_agent][info] 2022-10-11T20:24:58+02:00 - message: Application: osquerybeat--8.4.3[f86f761c-b29f-4d00-9699-0e5448f6ea70]: State changed to DEGRADED: Missed last check-in - type: 'STATE' - sub_type: 'RUNNING'
20:25:02.942 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:25:24.619 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Non-zero metrics in the last 30s
20:25:32.805 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:25:54.652 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Non-zero metrics in the last 30s
20:25:59.143 elastic_agent [elastic_agent][error] 2022-10-11T20:25:59+02:00 - message: Application: osquerybeat--8.4.3[f86f761c-b29f-4d00-9699-0e5448f6ea70]: State changed to FAILED: Missed two check-ins - type: 'ERROR' - sub_type: 'FAILED'
20:26:02.861 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:26:09.173 elastic_agent [elastic_agent][info] 2022-10-11T20:26:09+02:00 - message: Application: osquerybeat--8.4.3[f86f761c-b29f-4d00-9699-0e5448f6ea70]: State changed to RESTARTING:  - type: 'STATE' - sub_type: 'STARTING'
20:26:09.173 elastic_agent [elastic_agent][info] 2022-10-11T20:26:09+02:00 - message: Application: osquerybeat--8.4.3[f86f761c-b29f-4d00-9699-0e5448f6ea70]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'
20:26:09.173 elastic_agent [elastic_agent][info] 2022-10-11T20:26:09+02:00 - message: Application: osquerybeat--8.4.3[f86f761c-b29f-4d00-9699-0e5448f6ea70]: State changed to RESTARTING: Restarting - type: 'STATE' - sub_type: 'STARTING'
20:26:09.972 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Home path: [C:\Program Files\Elastic\Agent\data\elastic-agent-90167b\install\osquerybeat-8.4.3-windows-x86_64] Config path: [C:\Program Files\Elastic\Agent\data\elastic-agent-90167b\install\osquerybeat-8.4.3-windows-x86_64] Data path: [C:\Program Files\Elastic\Agent\data\elastic-agent-90167b\run\default\osquerybeat--8.4.3] Logs path: [C:\Program Files\Elastic\Agent\data\elastic-agent-90167b\install\osquerybeat-8.4.3-windows-x86_64\logs]
20:26:10.031 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Beat ID: ab01b0c4-8193-43f5-825d-d5e52eabcfd6
20:26:13.359 elastic_agent.osquerybeat [elastic_agent.osquerybeat][warn] read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
20:26:13.361 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Starting stats endpoint
20:26:13.361 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Beat info
20:26:13.361 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Build info
20:26:13.361 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Go runtime info
20:26:13.364 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Host info
20:26:13.365 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Process info
20:26:13.365 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Setup Beat: osquerybeat; Version: 8.4.3
20:26:13.379 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Metrics endpoint listening on: \\.\pipe\default-osquerybeat (configured: npipe:///default-osquerybeat)
20:26:14.763 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] elasticsearch url: http://localhost:9200
20:26:14.764 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Beat name: ReplacedHostname
20:26:14.764 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] osquerybeat start running.
20:26:14.765 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Starting metrics logging every 30s
20:26:14.767 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Attempted to register Windows service handlers, but this is not a service. No action necessary
20:26:14.768 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Check if osqueryd needs to be installed
20:26:14.862 elastic_agent.osquerybeat [elastic_agent.osquerybeat][warn] BETA: Fleet management is enabled
20:26:14.862 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Starting fleet management service
20:26:14.863 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Ready to receive configuration
20:26:15.675 elastic_agent [elastic_agent][info] 2022-10-11T20:26:15+02:00 - message: Application: osquerybeat--8.4.3[f86f761c-b29f-4d00-9699-0e5448f6ea70]: State changed to STARTING: Starting - type: 'STATE' - sub_type: 'STARTING'
20:26:15.675 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Status change to Configuring: Updating configuration
20:26:15.676 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Applying settings for inputs
20:26:15.676 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Applying settings for output
20:26:15.677 elastic_agent.osquerybeat [elastic_agent.osquerybeat][warn] DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0
20:26:15.677 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] elasticsearch url: https://10.10.10.10:9200
20:26:15.677 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] elasticsearch url: https://10.10.10.11:9200
20:26:15.678 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Start osqueryd
20:26:15.681 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:15.726 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:15.945 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:15.945 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:16.118 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:16.118 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:16.200 elastic_agent [elastic_agent][info] 2022-10-11T20:26:16+02:00 - message: Application: osquerybeat--8.4.3[f86f761c-b29f-4d00-9699-0e5448f6ea70]: State changed to RUNNING: Running - type: 'STATE' - sub_type: 'RUNNING'
20:26:16.358 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:16.358 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:16.388 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] add_cloud_metadata: hosting provider type not detected.
20:26:16.538 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:16.538 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:16.742 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:16.742 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:16.957 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:16.957 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:17.190 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:17.190 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:17.460 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:17.460 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:17.636 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:17.636 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:17.861 elastic_agent [elastic_agent][error] osquerybeat stderr: "ERROR "
20:26:17.861 elastic_agent [elastic_agent][error] osquerybeat stderr: "failed to connect: dialing pipe '\\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df': open \\\\.\\pipe\\elastic\\osquery\\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.\n"
20:26:18.066 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] osquery client is connected
20:26:18.083 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] runOsquery context cancelled, exiting
20:26:19.014 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] osqueryd process exited
20:26:19.014 elastic_agent.osquerybeat [elastic_agent.osquerybeat][error] runOsquery exited with error: dialing pipe '\\.\pipe\elastic\osquery\c1a81747-ef3c-4422-9914-2965107c02df': open \\.\pipe\elastic\osquery\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.
20:26:19.014 elastic_agent.osquerybeat [elastic_agent.osquerybeat][error] runOsquery exited with error: dialing pipe '\\.\pipe\elastic\osquery\c1a81747-ef3c-4422-9914-2965107c02df': open \\.\pipe\elastic\osquery\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.
20:26:19.037 elastic_agent.osquerybeat [elastic_agent.osquerybeat][error] Failed to run osquery:dialing pipe '\\.\pipe\elastic\osquery\c1a81747-ef3c-4422-9914-2965107c02df': open \\.\pipe\elastic\osquery\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.
20:26:19.037 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] osquerybeat context cancelled, exiting
20:26:19.037 elastic_agent.osquerybeat [elastic_agent.osquerybeat][error] osquerybeat Run exited with error: dialing pipe '\\.\pipe\elastic\osquery\c1a81747-ef3c-4422-9914-2965107c02df': open \\.\pipe\elastic\osquery\c1a81747-ef3c-4422-9914-2965107c02df: The system cannot find the file specified.
20:26:19.037 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Stopping fleet management service
20:26:32.783 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:26:44.810 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Non-zero metrics in the last 30s
20:27:02.779 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:27:14.784 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Non-zero metrics in the last 30s
20:27:19.222 elastic_agent [elastic_agent][info] 2022-10-11T20:27:19+02:00 - message: Application: osquerybeat--8.4.3[f86f761c-b29f-4d00-9699-0e5448f6ea70]: State changed to DEGRADED: Missed last check-in - type: 'STATE' - sub_type: 'RUNNING'
20:27:32.771 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:27:44.767 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Non-zero metrics in the last 30s
20:28:02.869 elastic_agent.metricbeat [elastic_agent.metricbeat][info] Non-zero metrics in the last 30s
20:28:14.770 elastic_agent.osquerybeat [elastic_agent.osquerybeat][info] Non-zero metrics in the last 30s
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.