Hi Daniel,
Thanks for getting back to me.
endpoint-security
as located in a tmp
folder does not persists over elastic-agent restart. I have just recreated it and restart ElasticEndpoint.service
. The diagnostics issue is still there (and the /endpoint-security.sock
file is still missing).
Regarding elastic-agent status, I am getting
Status: HEALTHY
Message: (no message)
Applications:
* endpoint-security (HEALTHY)
Protecting with policy {073b2f96-41a6-40c0-a943-c3fc7932ce18}
* packetbeat (HEALTHY)
Running
* filebeat (HEALTHY)
Running
* metricbeat (HEALTHY)
Running
* filebeat_monitoring (HEALTHY)
Running
* metricbeat_monitoring (HEALTHY)
Running
The status in Security/Manage/Endpoints UI is Healthy as well.
Grepping Policy action
give the following :
{"@timestamp":"2022-11-14T17:00:30.436409883Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Succesfully read memory protection configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436430004Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Succesfully read diagnostic memory protection configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436508208Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Successfully read host isolation configuration (disabled)","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436538116Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malicious_behavior: success - Successfully read behavior protection configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436553867Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malicious_behavior: success - Successfully read diagnostic behavior protection configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436708428Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_user_notification: success - Succesfully read user notification configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436734593Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully read malware prevent configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.43679971Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Successfully read diagnosic malware off configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.444572162Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_output: success - Successfully read output configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.44484463Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_logging: success - Successfully read logging configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.444859699Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action load_config: success - Successfully parsed configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.446535232Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action download_user_artifacts: success - Successfully downloaded user artifacts","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.459928625Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action download_global_artifacts: success - Global artifacts are available for use","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.460061929Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_logging: success - Successfully configured logging","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.461400125Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_output: success - Successfully configured output connection","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044516422Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_process_events: success - Success enabling process events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044564259Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_network_events: success - Success enabling network events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044591399Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_file_write_events: success - Success enabling file events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044616992Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_file_events: success - Success enabling file events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044636777Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_network_events: success - Success enabling network events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044657035Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_process_events: success - Success enabling process events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.049203851Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully loaded malware model","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.049249883Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Malware detection/prevention is disabled","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.049998151Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Malware detection/prevention is disabled","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.082296525Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully loaded malware model","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.083111279Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully enabled malware prevention","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.083131029Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Successfully disabled malware protection","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.08316764Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_user_notification: success - Successfully configured user notification","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.084543742Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malicious_behavior: success - Rules engine is stopped","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.084565793Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malicious_behavior: success - Rules engine is stopped","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.084753364Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Activated exception-list IPs for host isolation","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.08477378Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Host isolation exception list (processes) set","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.08509106Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Host is not isolated","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.085130479Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Memory scan is disabled","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.085148896Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Memory scan is disabled","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.085167793Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Successfully disabled memory threat protection","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.085185909Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Successfully disabled memory threat protection","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:47.361510306Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Succesfully read memory protection configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.36152993Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Succesfully read diagnostic memory protection configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.361605971Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Successfully read host isolation configuration (disabled)","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.361635618Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malicious_behavior: success - Successfully read behavior protection configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.361651827Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malicious_behavior: success - Successfully read diagnostic behavior protection configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.3618046Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_user_notification: success - Succesfully read user notification configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.36183047Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully read malware prevent configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.361895469Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Successfully read diagnosic malware off configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.370931771Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_output: success - Successfully read output configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.371200469Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_logging: success - Successfully read logging configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.371215187Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action load_config: success - Successfully parsed configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.086095036Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action agent_connectivity: success - Successfully connected to Agent","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:48.086539962Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action workflow: success - Successfully executed all workflows","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:48.090082183Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action download_user_artifacts: success - Successfully downloaded user artifacts","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.105119769Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action download_global_artifacts: success - Global artifacts are available for use","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.105280812Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_logging: success - Successfully configured logging","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106191042Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_output: success - Successfully configured output connection","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106257906Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_process_events: success - Success enabling process events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106275329Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_network_events: success - Success enabling network events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106292239Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_file_write_events: success - Success enabling file events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106309786Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_file_events: success - Success enabling file events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106326769Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_network_events: success - Success enabling network events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106345372Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_process_events: success - Success enabling process events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.110191263Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully loaded malware model","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.110214089Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Malware detection/prevention is disabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.110884641Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Malware detection/prevention is disabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.144573688Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully loaded malware model","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.144752063Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully enabled malware prevention","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.144769841Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Successfully disabled malware protection","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.144813415Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_user_notification: success - Successfully configured user notification","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.145791563Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malicious_behavior: success - Rules engine is stopped","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.145813546Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malicious_behavior: success - Rules engine is stopped","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.145957702Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Activated exception-list IPs for host isolation","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.145977165Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Host isolation exception list (processes) set","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146246727Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Host is not isolated","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.14628559Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Memory scan is disabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146303688Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Memory scan is disabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146322884Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Successfully disabled memory threat protection","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146341621Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Successfully disabled memory threat protection","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.14638159Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action agent_connectivity: success - Successfully connected to Agent","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146537325Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action workflow: success - Successfully executed all workflows","process":{"pid":16672,"thread":{"id":16739}}}
I have stopped legacy beats to avoid any potential conflicts but I am still having coredumps in /var/lib/apport/coredump
, last one created at 16:46UTC today. Corresponding security endpoint logs are (short extract, I can provide more if needed):
{"@timestamp":"2022-11-14T16:46:21.838967777Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":47,"na
me":"MainPosix.cpp"}}},"message":"MainPosix.cpp:47 Processed core-ing signal : 11","process":{"pid":15770,"thread":{"id":15798}}}
{"@timestamp":"2022-11-14T16:46:40.155316887Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":131,"name":"Config.cpp"}}},"message":"Conf
ig.cpp:131 Registered configuration callback for logging","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.155362953Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":155,"name":"Entry.cpp"}}},"message":"Entry
.cpp:155 Loading plugin: documentLogging","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.156732332Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":131,"name":"System.cpp"}}},"message":"Syst
em.cpp:131 Generated system UUID 99bc2f02-e951-4b1f-3ae6-33c79dccb4ba","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.156811274Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":804,"name":"LogStorage.cpp"}}},"message":"
LogStorage.cpp:804 Calculated outValue 1668441248 for filepath /opt/Elastic/Endpoint/state/documents/documents-2022-11-14T155408.log","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.210450417Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":131,"name":"System.cpp"}}},"message":"Syst
em.cpp:131 Generated system UUID 99bc2f02-e951-4b1f-3ae6-33c79dccb4ba","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.210474074Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":155,"name":"Entry.cpp"}}},"message":"Entry
.cpp:155 Loading plugin: comms","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.210532047Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":131,"name":"Config.cpp"}}},"message":"Conf
ig.cpp:131 Registered configuration callback for comms","process":{"pid":16257,"thread":{"id":16257}}}
Available to provide more insights, thanks a lot.