I noticed errors “Unable to authenticate - apikey not found”. For a few apikeys. They are frequently repeated. This is an Elastic cloud hosted stack.
These seem to have started with the prior version update, then more with the last version update. I then found that after the upgrade, the errors are for revoked keys, then they become missing after several days.
I found a Fleet FORCE_UNENROLL action that seems to have happened during the last upgrade.
I’m working a case with support, but has anyone seen anything like his? Would any process in an upgrade unenroll agents? Would anything delete revoked API keys?
I turned on audit for over an hour and found 60+ IP’s with anonymous access denied errors, which I think relate to he missing key errors. They are probably mostly Windows workstation agents.