[Fleet] Show reason for Agent / Endpoint uninstallation #197731
Comments
ycombinator
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
|
Should we introduce a new status like "orphaned" or "uninstalled" or include them in "unenrolled"? Leaving the agents offline is misleading, there is a bug logged because those agents can't be unenrolled: #197180 |
|
"uninstalled" would definitely make sense in this case but why would we need "orphaned"? |
|
We need to add Agent is neither Tamper Protected against admin user, neither can guarantee delivering the audit about uninstallation. However Tamper Protected Endpoint won't give up easily 🙂 so in most cases Agent will be surprisingly lost whilst Endpoint will keep running and protection the machine albeit invisible in Fleet 🙁 so the orphaned status will clearly signal the need to fix Agent on those machines. PS. 8.16.0 Endpoint is already sending the |
Describe the feature:
With the work @michel-laterman has done for elastic/elastic-agent#484, Agent will send Fleet Server a reason for uninstalling when it is uninstalled. In the future, Endpoint will do the same. These components do this by calling the
POST /api/fleet/agents/:id/audit/unenrollFleet Server API. Note that this is a best effort API call.We should surface this reason in the Fleet UI, which would be an improvement over what happens today when an Agent is uninstalled: the Agent leaves "offline" entries in the UI.
Describe a specific use case for the feature:
Clarifying the Agent listing in the Fleet UI by distinguishing between Agents that are active but currently offline with Agents that have been uninstalled.
The text was updated successfully, but these errors were encountered: