Unhealthy agent status with failed policy status - agent 8.11.4

Hello, I have two Red Hat 8.8 machines that are reporting an Unhealthy agent status and a Failed policy status.


Here are the unhealthy components with each component reporting similar messages "current state is disabled"
image
What logs can I review to determine what could be the cause here?

endpoint-000015.log from the diagnostic archive is reporting many entries similar to this:
"log":{"level":"error","origin":{"file":{"line":174,"name":"PerfWatcher.cpp"}}},"message":"PerfWatcher.cpp:174 Failed to write: (-:kprobes/elasticendpoint_SECURE_TCP_SEQ_probe)"

Hello @elastic_fan,

Sorry to hear you are having trouble. The log messages you highlighted are a red-herring. They indicate that Endpoint wasn't able to remove event kprobes during an error-handling code path.

Mostly likely the error-handling path was reached because a symbol Endpoint would like to patch wasn't found within the kernel.

There would be a similar message in that case:

PerfWatcher.cpp:174 Failed to write: (p:kprobes/elasticendpoint_SECURE_TCP_SEQ_probe)

(Note the p: instead of the -:)

I'd be happy to take a look at a diagnostic zip. If you are comfortable sharing, DM me and I can provide an upload link.

That said, the most likely fix will be updating Endpoint. We are forever chasing internal kernel changes, and there have been updates in this area since 8.11.4.

1 Like

Hello @Nick_Berlin,

Thank you for the feedback. I resolved this issue by fresh installing the 8.11.4 agent instead of attempting to upgrade the agent (from 8.8 to 8.11) via Fleet.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.