What logs can I review to determine what could be the cause here?
endpoint-000015.log from the diagnostic archive is reporting many entries similar to this:
"log":{"level":"error","origin":{"file":{"line":174,"name":"PerfWatcher.cpp"}}},"message":"PerfWatcher.cpp:174 Failed to write: (-:kprobes/elasticendpoint_SECURE_TCP_SEQ_probe)"
Sorry to hear you are having trouble. The log messages you highlighted are a red-herring. They indicate that Endpoint wasn't able to remove event kprobes during an error-handling code path.
Mostly likely the error-handling path was reached because a symbol Endpoint would like to patch wasn't found within the kernel.
There would be a similar message in that case:
PerfWatcher.cpp:174 Failed to write: (p:kprobes/elasticendpoint_SECURE_TCP_SEQ_probe)
(Note the p: instead of the -:)
I'd be happy to take a look at a diagnostic zip. If you are comfortable sharing, DM me and I can provide an upload link.
That said, the most likely fix will be updating Endpoint. We are forever chasing internal kernel changes, and there have been updates in this area since 8.11.4.
Thank you for the feedback. I resolved this issue by fresh installing the 8.11.4 agent instead of attempting to upgrade the agent (from 8.8 to 8.11) via Fleet.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.