Unable to run Endpoint 8.4 on a Ubuntu 20.04 host hardened with CIS Level 2

Hi,

I am encountering difficulties to properly run Endpoint (deployed thanks to Fleet Server) on a Ubuntu 20.04 host (hardened with CIS Level 2 and I suspect the issue to be related to system hardening).

When I run elastic agent diagnostic I have:

elastic-agent  id: bdf61569-dedf-4905-a8a9-207ef1391e8a                version: 8.4.2
               build_commit: d3eb3e8a02d96bf48d11145fb089e118f75bd202  build_time: 2022-09-14 22:33:40 +0000 UTC  snapshot_build: false
Applications:
  *  name: metricbeat             route_key: default
     process: metricbeat          id: ccd56c6c-f046-47be-894a-b6945206436f          ephemeral_id: 2a684434-eefc-4fc2-927f-55c118501809  elastic_license: true
     version: 8.4.2               commit: b00a6bca7be493b01a134a6ad8c415f2be297414  build_time: 2022-09-13 21:56:36 +0000 UTC           binary_arch: amd64
     hostname: STAGING-LB-AS      username: root                                    user_id: 0                                          user_gid: 0
  *  name: packetbeat             route_key: default
     process: packetbeat          id: a73fec1b-61e0-4c20-ba92-f606c047be39          ephemeral_id: 0195e653-cfbf-4c84-870f-ecafcb333960  elastic_license: true
     version: 8.4.2               commit: b00a6bca7be493b01a134a6ad8c415f2be297414  build_time: 2022-09-13 21:52:18 +0000 UTC           binary_arch: amd64
     hostname: STAGING-LB-AS      username: root                                    user_id: 0                                          user_gid: 0
  *  name: filebeat_monitoring    route_key: default
     process: filebeat            id: 6673dbeb-3cf5-4dca-bd01-25bbd36dc739          ephemeral_id: c986fc2d-3fa1-4a85-974c-ce7f96bfef47  elastic_license: true
     version: 8.4.2               commit: b00a6bca7be493b01a134a6ad8c415f2be297414  build_time: 2022-09-13 21:52:16 +0000 UTC           binary_arch: amd64
     hostname: STAGING-LB-AS      username: root                                    user_id: 0                                          user_gid: 0
  *  name: metricbeat_monitoring  route_key: default
     process: metricbeat          id: ccd56c6c-f046-47be-894a-b6945206436f          ephemeral_id: 2a684434-eefc-4fc2-927f-55c118501809  elastic_license: true
     version: 8.4.2               commit: b00a6bca7be493b01a134a6ad8c415f2be297414  build_time: 2022-09-13 21:56:36 +0000 UTC           binary_arch: amd64
     hostname: STAGING-LB-AS      username: root                                    user_id: 0                                          user_gid: 0
  *  name: endpoint-security      route_key: default
     error: Get "http://unix/": dial unix /opt/Elastic/Agent/data/tmp/default/endpoint-security/endpoint-security.sock: connect: no such file or directory
  *  name: filebeat           route_key: default
     process: filebeat        id: 6673dbeb-3cf5-4dca-bd01-25bbd36dc739          ephemeral_id: c986fc2d-3fa1-4a85-974c-ce7f96bfef47  elastic_license: true
     version: 8.4.2           commit: b00a6bca7be493b01a134a6ad8c415f2be297414  build_time: 2022-09-13 21:52:16 +0000 UTC           binary_arch: amd64
     hostname: STAGING-LB-AS  username: root                                    user_id: 0                                          user_gid: 0

As you can see, Endpoint encounters a Get "http://unix/": dial unix /opt/Elastic/Agent/data/tmp/default/endpoint-security/endpoint-security.sock: connect: no such file or directory issue. Initially, the endpoint-security folder was not exist at all but I have the same result after creating it manually and setting a generous 755 chmod on the full path towards this brand new folder (this is a typical side effect of having a restrictive UMASK due to CIS hardening) .

If I run Endpoint output test I have:

Testing output connections using config file: [/opt/Elastic/Endpoint/elastic-endpoint.yaml]

Using proxy:

Elasticsearch server: http://ELK-1:9200
	Status: Success

Elasticsearch server: http://ELK-2:9200
	Status: Success

Global artifact server: https://artifacts.security.elastic.co
	Status: Success

Fleet server: https://ELK-1:8220
	Status: Success

Fleet server: https://ELK-2:8220
	Status: Success

If I look in the Endpoint logs looking for errors I am getting:

{"@timestamp":"2022-11-09T13:39:16.811850194Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":123,"name":"AgentConnectionInfo.cpp"}}},"message":"AgentConnectionInfo.cpp:123 Agent process is not root/admin or validation failed, disconnecting","process":{"pid":812513,"thread":{"id":812547}}}
{"@timestamp":"2022-11-09T13:39:16.811872511Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":588,"name":"AgentComms.cpp"}}},"message":"AgentComms.cpp:588 Unable to retrieve connection info from Agent(Agent is not running as root)","process":{"pid":812513,"thread":{"id":812547}}}
{"@timestamp":"2022-11-09T13:41:51.763655857Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"error","origin":{"file":{"line":918,"name":"Network.cpp"}}},"message":"Network.cpp:918 Failed to stat [/proc/813679/fd/19]","process":{"pid":813825,"thread":{"id":813825}}}

Quite strange to see a Agent process is not root/admin or validation failed issue since the diagnostics confirm elastic agent is running as root and this is the same when I check the various processes with a ps -ef | grep Endpoint or ps -ef | grep elastic-agent.

The failed to stat issue points towards a link with the following rights:

lrwx------ 1 root root 64 Nov  9 15:27 /proc/813679/fd/19 -> 'socket:[472216859]'

Strangely, these errors do not block totally Endpoint since I can see some logs stating that documents are sent to elastic:

{"@timestamp":"2022-11-09T15:34:46.168982189Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":199,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:199 Sent 124 documents to Elasticsearch","process":{"pid":814313,"thread":{"id":814336}}}

In fact, I am investigating this issue because I have noticed regular crashs of the Endpoint process leading to create huge codedump files in /var/lib/apport/coredump (with a FS completely full...).

Important : please note I have legacy beats installed and running on the same host on top of the fleet elastic agent (we are migrating from Elastic 6.1 towards 8.4 and are testing Feet + Security Endpoint for now and will completely remove the legacy Beat at a later stage).

Any help will be highly appreciated !
Thanks

HI @dapster

Do you continue to have the issue you showed from running elastic-agent diagnostics , or did it go away after you created the endpoint-security directory?

The issue you found in the /opt/Elastic/Endpoint/state/log/ files looks like a transient issue that resolved itself. That error means that Endpoint could not connect to Agent to receive configuration updates. However, your elastic-endpoint test output command output shows that Endpoint has received configuration info, since it knows how to reach Elasticsearch and Fleet server. Endpoint being able to write to Elasticsearch also confirms this.

I wonder if Endpoint is crashing and causing the UNHEALTHY status in Fleet? What is the status of the Endpoint in the Security App's status page in Kibana? Regardless of whether or not Endpoint is crashing, it would be good to understand whether or not before crashing Endpoint is healthy. Can you share the output from elastic-agent status? That will help verify why Agent remains UNHEALTHY.

As an aside, Endpoint logs can also show the status by grepping for Policy action in the logs. Each time Endpoint applies policy it will produce a bunch of log messages for each action it takes while applying policy. Any that fail will have a failure log messages as well as a failure displayed in Kibana.

Hi Daniel,

Thanks for getting back to me.

endpoint-security as located in a tmp folder does not persists over elastic-agent restart. I have just recreated it and restart ElasticEndpoint.service. The diagnostics issue is still there (and the /endpoint-security.sock file is still missing).

Regarding elastic-agent status, I am getting

Status: HEALTHY
Message: (no message)
Applications:
  * endpoint-security      (HEALTHY)
                           Protecting with policy {073b2f96-41a6-40c0-a943-c3fc7932ce18}
  * packetbeat             (HEALTHY)
                           Running
  * filebeat               (HEALTHY)
                           Running
  * metricbeat             (HEALTHY)
                           Running
  * filebeat_monitoring    (HEALTHY)
                           Running
  * metricbeat_monitoring  (HEALTHY)
                           Running

The status in Security/Manage/Endpoints UI is Healthy as well.

Grepping Policy action give the following :

{"@timestamp":"2022-11-14T17:00:30.436409883Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Succesfully read memory protection configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436430004Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Succesfully read diagnostic memory protection configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436508208Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Successfully read host isolation configuration (disabled)","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436538116Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malicious_behavior: success - Successfully read behavior protection configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436553867Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malicious_behavior: success - Successfully read diagnostic behavior protection configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436708428Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_user_notification: success - Succesfully read user notification configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.436734593Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully read malware prevent configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.43679971Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Successfully read diagnosic malware off configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.444572162Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_output: success - Successfully read output configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.44484463Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_logging: success - Successfully read logging configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.444859699Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action load_config: success - Successfully parsed configuration","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.446535232Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action download_user_artifacts: success - Successfully downloaded user artifacts","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.459928625Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action download_global_artifacts: success - Global artifacts are available for use","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.460061929Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_logging: success - Successfully configured logging","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:30.461400125Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_output: success - Successfully configured output connection","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044516422Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_process_events: success - Success enabling process events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044564259Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_network_events: success - Success enabling network events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044591399Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_file_write_events: success - Success enabling file events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044616992Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_file_events: success - Success enabling file events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044636777Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_network_events: success - Success enabling network events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.044657035Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_process_events: success - Success enabling process events; current state is enabled Source configuration changed.","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.049203851Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully loaded malware model","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.049249883Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Malware detection/prevention is disabled","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.049998151Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Malware detection/prevention is disabled","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.082296525Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully loaded malware model","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.083111279Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully enabled malware prevention","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.083131029Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Successfully disabled malware protection","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.08316764Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_user_notification: success - Successfully configured user notification","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.084543742Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malicious_behavior: success - Rules engine is stopped","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.084565793Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malicious_behavior: success - Rules engine is stopped","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.084753364Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Activated exception-list IPs for host isolation","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.08477378Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Host isolation exception list (processes) set","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.08509106Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Host is not isolated","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.085130479Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Memory scan is disabled","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.085148896Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Memory scan is disabled","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.085167793Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Successfully disabled memory threat protection","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:42.085185909Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Successfully disabled memory threat protection","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:47.361510306Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Succesfully read memory protection configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.36152993Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Succesfully read diagnostic memory protection configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.361605971Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Successfully read host isolation configuration (disabled)","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.361635618Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malicious_behavior: success - Successfully read behavior protection configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.361651827Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malicious_behavior: success - Successfully read diagnostic behavior protection configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.3618046Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_user_notification: success - Succesfully read user notification configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.36183047Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully read malware prevent configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.361895469Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Successfully read diagnosic malware off configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.370931771Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_output: success - Successfully read output configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.371200469Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_logging: success - Successfully read logging configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:47.371215187Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action load_config: success - Successfully parsed configuration","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.086095036Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action agent_connectivity: success - Successfully connected to Agent","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:48.086539962Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action workflow: success - Successfully executed all workflows","process":{"pid":16672,"thread":{"id":16672}}}
{"@timestamp":"2022-11-14T17:00:48.090082183Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action download_user_artifacts: success - Successfully downloaded user artifacts","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.105119769Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action download_global_artifacts: success - Global artifacts are available for use","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.105280812Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_logging: success - Successfully configured logging","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106191042Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_output: success - Successfully configured output connection","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106257906Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_process_events: success - Success enabling process events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106275329Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_network_events: success - Success enabling network events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106292239Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action detect_file_write_events: success - Success enabling file events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106309786Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_file_events: success - Success enabling file events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106326769Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_network_events: success - Success enabling network events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.106345372Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_process_events: success - Success enabling process events; current state is enabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.110191263Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully loaded malware model","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.110214089Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Malware detection/prevention is disabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.110884641Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Malware detection/prevention is disabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.144573688Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully loaded malware model","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.144752063Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malware: success - Successfully enabled malware prevention","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.144769841Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malware: success - Successfully disabled malware protection","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.144813415Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_user_notification: success - Successfully configured user notification","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.145791563Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_malicious_behavior: success - Rules engine is stopped","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.145813546Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_malicious_behavior: success - Rules engine is stopped","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.145957702Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Activated exception-list IPs for host isolation","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.145977165Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Host isolation exception list (processes) set","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146246727Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_host_isolation: success - Host is not isolated","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.14628559Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Memory scan is disabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146303688Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Memory scan is disabled","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146322884Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_memory_threat: success - Successfully disabled memory threat protection","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146341621Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action configure_diagnostic_memory_threat: success - Successfully disabled memory threat protection","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.14638159Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action agent_connectivity: success - Successfully connected to Agent","process":{"pid":16672,"thread":{"id":16739}}}
{"@timestamp":"2022-11-14T17:00:48.146537325Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":357,"name":"Response.cpp"}}},"message":"Response.cpp:357 Policy action workflow: success - Successfully executed all workflows","process":{"pid":16672,"thread":{"id":16739}}}

I have stopped legacy beats to avoid any potential conflicts but I am still having coredumps in /var/lib/apport/coredump, last one created at 16:46UTC today. Corresponding security endpoint logs are (short extract, I can provide more if needed):

{"@timestamp":"2022-11-14T16:46:21.838967777Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":47,"na
me":"MainPosix.cpp"}}},"message":"MainPosix.cpp:47 Processed core-ing signal : 11","process":{"pid":15770,"thread":{"id":15798}}}
{"@timestamp":"2022-11-14T16:46:40.155316887Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":131,"name":"Config.cpp"}}},"message":"Conf
ig.cpp:131 Registered configuration callback for logging","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.155362953Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":155,"name":"Entry.cpp"}}},"message":"Entry
.cpp:155 Loading plugin: documentLogging","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.156732332Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":131,"name":"System.cpp"}}},"message":"Syst
em.cpp:131 Generated system UUID 99bc2f02-e951-4b1f-3ae6-33c79dccb4ba","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.156811274Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":804,"name":"LogStorage.cpp"}}},"message":"
LogStorage.cpp:804 Calculated outValue 1668441248 for filepath /opt/Elastic/Endpoint/state/documents/documents-2022-11-14T155408.log","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.210450417Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":131,"name":"System.cpp"}}},"message":"Syst
em.cpp:131 Generated system UUID 99bc2f02-e951-4b1f-3ae6-33c79dccb4ba","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.210474074Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":155,"name":"Entry.cpp"}}},"message":"Entry
.cpp:155 Loading plugin: comms","process":{"pid":16257,"thread":{"id":16257}}}
{"@timestamp":"2022-11-14T16:46:40.210532047Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":131,"name":"Config.cpp"}}},"message":"Conf
ig.cpp:131 Registered configuration callback for comms","process":{"pid":16257,"thread":{"id":16257}}}

Available to provide more insights, thanks a lot.

Isn't it missing some binary compilation library? Is the build-essential package installed? Try removing the old version of beats and updating your operating system and then reinstalling the elastic agent.

gcc --version responds correctly, so for me build-essential is correctly installed.

When looking to any warning/error following a fresh restart of Endpoint service, I can see only one warning related to Tux_HostIsolation and stating there is an issue with a missing file and a communication issue with the Kernel (probably the endpoint-security.sock mentioned in the diagnostics).

{"@timestamp":"2022-11-15T06:47:43.713087807Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":374,"name":"Tux_HostIsolation.cpp"}}},"mes
sage":"Tux_HostIsolation.cpp:374 Load and attach worked with load method=0","process":{"pid":18933,"thread":{"id":18959}}}
{"@timestamp":"2022-11-15T06:47:43.754937294Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":133,"name":"Tux_HostIsolation.cpp"}}},"mes
sage":"Tux_HostIsolation.cpp:133 IsEbpfSupported returned [1]","process":{"pid":18933,"thread":{"id":18959}}}
{"@timestamp":"2022-11-15T06:47:43.767214245Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":374,"name":"Tux_HostIsolation.cpp"}}},"mes
sage":"Tux_HostIsolation.cpp:374 Load and attach worked with load method=0","process":{"pid":18933,"thread":{"id":18933}}}
{"@timestamp":"2022-11-15T06:47:43.798925945Z","agent":{"id":"","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":133,"name":"Tux_HostIsolation.cpp"}}},"mes
sage":"Tux_HostIsolation.cpp:133 IsEbpfSupported returned [1]","process":{"pid":18933,"thread":{"id":18933}}}
{"@timestamp":"2022-11-15T06:48:01.40459332Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"warning","origin":{"file":{"line":84,"
name":"Tux_HostIsolation.cpp"}}},"message":"rtnetlink replied: No such file or directory\n","process":{"pid":18933,"thread":{"id":18933}}}
{"@timestamp":"2022-11-15T06:48:01.404610059Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"warning","origin":{"file":{"line":84,
"name":"Tux_HostIsolation.cpp"}}},"message":"error talking to the kernel (rtnetlink_send)\n","process":{"pid":18933,"thread":{"id":18933}}}
{"@timestamp":"2022-11-15T06:48:01.470162859Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"warning","origin":{"file":{"line":84,
"name":"Tux_HostIsolation.cpp"}}},"message":"rtnetlink replied: No such file or directory\n","process":{"pid":18933,"thread":{"id":18981}}}
{"@timestamp":"2022-11-15T06:48:01.470180136Z","agent":{"id":"bdf61569-dedf-4905-a8a9-207ef1391e8a","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"warning","origin":{"file":{"line":84,
"name":"Tux_HostIsolation.cpp"}}},"message":"error talking to the kernel (rtnetlink_send)\n","process":{"pid":18933,"thread":{"id":18981}}}

On this host, is SELINUX active or some other similar solution? If possible, create a new VM, with the same operating system, however, without hardening it to better evaluate it, considering that the hardening applied may be interfering with this communication.

Removed all beats installed on the machine and tried to reinstall Elastic Agent?

Hello.

At the current time we are also seeing issues with ElasticAgent and Ubuntu 20.04 at CIS level 2. Our issues manifest themselves as the ElasticAgent and Elastic Endpoint Security showing up as healthy, but once a malware test is carried out on the host Elastic Endpoint Security doesn't stop anything.

We currently have a case with Elastic on this and are investigating, I just wanted to hint that there are other users seeing similar issues, and I will post any findings we discover.

Cheers
//Joel

I'm curious, what is the output of:
$ cat /proc/sys/kernel/ftrace_enabled

Short update to the issues we were seeing, as far as we can tell at the current point they are all related to having /tmp on a separate partition and tmpfs.

The original issue was pinned down to be that when trying malware test files in the /tmp directory Endpoint Security doesn't prevent these malware files to be copied, edited, et.c. as expected. However this only seems to apply to the /tmp directory and the case when /tmp is on a tmpfs filesystem, our case on this is ongoing.

Unfortunately I think this is unrelated to the issues seen in this case, sorry about that.

Hi, thanks for the update and your analysis.

I have provided insights to Elastic team and they have identified a fix to be delivered in 8.5.3 version to released soon.

We are planning a migration from 8.4 to 8.5 in order to confirm the fix is working properly.