[Security Solution] Any endpoint except Windows 10 does not show up under the Administration tab even if the Endpoint Security Integration is added #99030
Comments
muskangulati-qasource
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
|
@manishgupta-qasource please review!! |
|
Reviewed & assigned to @kevinlog |
|
@muskangulati-qasource Is it just Windows 7 that isn't showing up? Has Mac or Linux worked? It looks like the Endpoint isn't getting as installed as you're showing no Endpoint folder is created. Which steps did you take in deploying the Windows 7 Endpoint? |
|
Hi @kevinlog,
This issue is also occurring on macOS and Linux endpoints
We are using the steps shared by you in the googlesheet And we used the same steps for Windows 10 too. We used the same policy also. And everything worked fine for Windows 10 endpoint. Please let us know if anything is missing from our end. Thanks!! |
|
@muskangulati-qasource thanks for the info. I was able to get a Windows 7 Endpoint to install on my side
did you use the |
|
Yes, @kevinlog,
We did use the --insecure flag with it. But we were getting TLS warning message while installation. Please refer Screenshot: Thanks!! |
|
@muskangulati-qasource Agent logs show it is failing to execute Endpoint's installer. Can you try to manually run it to see what happens? In the |
|
Hi @ferullo, Thank you for providing the command. Please find below the output for the same: It seems to be a signing issue with the Endpoint. Let us know if we are missing anything. Thanks! |
|
I downloaded the BC artifact from the Artifact URL in the initial comment and haven no problem running it on a retail, non-test signing Windows 7. Unsure what might be going on here.
|
|
Windows macOS and Linux |
|
Hi @ferullo, We tried once again with new VMs and found that the issue is with signing. The artifacts are not signed.
We tried with Testsigning ON (for Windows) & Sip disabled (for Mac), we were able to install the agent successfully. Refer Screenshots:
Let us know if we need to close this and open a new ticket for signing issue or it is already reported!! |
|
@nfritts how can they verify the system has all needed patches applied? @muskangulati-qasource its important that the system be fully patched. We've been able to run the same Endpoint on other Windows systems with test signing disabled, which suggests the problem is your windows 7 machine is out of date. (@nfritts is that right?) I'm also worried about the macOS and Linux failures. Your logs show Endpoint installs fine but then isn't on the computer? Can you give Agent logs from when Agent tries to install? |
|
@k-g-elastic can you share whether or not your team is seeing any issues running Endpoint on Linux, macOS, or Windows? Another thought, is the Windows 7 machine 32 or 64 bit? That could be a difference between @muskangulati-qasource 's machine and @nfritts 's machine |
|
Thats correct. Windows 7 should be fully patched. |
|
I was able to spin up 7.13.0-100107e6 using linux (centos) and did not see any issues (top host in table)
Trace-level agent+endpoint logs (interleaved) |
|
Hi @ferullo, We tested this ticket again using the environment provided by Kevin. Please find below complete testing details. Build Details: Observations:Please find the detailed investigation done for all the endpoints in the table below:
NOTE: This zip folder has all the log files: logs.zip @nfritts Please provide us steps to check if Windows 7 is properly patched or not. We can regress this issue again for Windows 7. Please let us know if anything is missing from our end. |
|
@muskangulati-qasource @ferullo @nfritts I also encountered the logging issue when deploying Win 7. After restarting the host machine, the Win 7 endpoint enabled logging successfully and I got a successful policy. Is this a known issue? Here is a Win 7 machine from me on the same cloud instance:
|
|
Could you share the policy response documents for the two failed Windows 7 machines? |
|
From the logs it looks like you have set the log level to the empty string ( |
|
Hi @kevinlog , We did report a similar issue: #97229 where we had to restart a host in order to bring policy to the success state. But it was resolved after the fleet-server changes were merged.
We did not update any thing is the policy and used exactly same policy for all the endpoints.
Please find below the state.yml files for both the endpoints.
Please let us know in case anything else is required from our end. Thanks! |
|
@muskangulati-qasource Could you check to make sure that your Windows 7 VM has the following KB installed and see if it fixes the install issues? https://www.catalog.update.microsoft.com/Search.aspx?q=KB4474419 Thanks! |
|
This appears to be an Agent bug. cc @ph I logged into 10.0.5.197 and looked at
agent:
id: 381cc1b0-f772-4a0f-bd20-925610b7d783
logging.level: info
monitoring.http:
enabled: false
host: ""
port: 6791
fleet:
enabled: true
access_api_key: <redacted>
protocol: http
host: <redacted>
hosts:
- https://<redacted>
timeout: 5m0s
ssl:
verification_mode: none
renegotiation: never
reporting:
threshold: 10000
check_frequency_sec: 30
agent:
id: ""
fleet:
access_api_key: <redacted>
agent:
id: 381cc1b0-f772-4a0f-bd20-925610b7d783
logging:
level: ""
monitoring:
http:
enabled: false
host: ""
port: 6791
enabled: true
host:
id: 5064b7d5-80c5-4eff-aeaf-06e85448a222
hosts:
- <redacted>
protocol: https
reporting:
check_frequency_sec: 30
threshold: 10000
ssl:
renegotiation: never
verification_mode: none
timeout: 5m0s |
|
Hi @nfritts, We tried today again and found the same issue for Windows 7 persists on 7.13.0 BC4 build.
We tried to download the file on our endpoints: The file was already installed on the endpoint. @ferullo Thank you for routing to the correct person. @ph Please let us know if anything is required from our end. Thanks! |
|
@muskangulati-qasource I'm confused. What is the problem? Early in this issue's history it was stated that Endpoint could not install on any version of any OS other than Windows 10. Then that install OSes and versions but policy fails on Windows 7. Now it seems like you're again saying Endpoint cannot install on Windows 7? |
|
Hi @ferullo, Sorry for the confusions. The issue is Windows7 only. It is deployed with policy failures. To resolve the confusions, we can close this one and open a new one for the actual bug or change the Summary of the bug. Let us know what works best for you. Thanks! |
|
Great, thanks for clarifying. I'm closing this issue because it's history is a bit confusing and we've dug in enough to determine the issue is in Agent, not Kibana. I opened elastic/beats#25583 to track the problem. Please add any details you'd like to that issue. |
Describe the feature
Any endpoint except Windows 10 does not show up under the Administration tab even if the Endpoint Security Integration is added to it.
Build Details:
Preconditions
Steps to Reproduce
Test data
N/A
Impacted Test case(s)
N/A
Actual Result
Any endpoint except Windows 10 does not show up under the Administration tab even if the Endpoint Security Integration is added
Expected Result
All the endpoints should show up under the Administration tab if the Endpoint Security Integration is added.
What's Working
N/A
What's Not Working
N/A
Screenshot
Fleet tab:
Agent details:
Logs tab:
The Administration Tab:
No Endpoint folder is created on the Endpoint:
Logs:
Agent logs:
elastic-agent-logs.zip
The text was updated successfully, but these errors were encountered: