Endpoint Security metrics are not available

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.

Other

130 stars 139 forks source link

Endpoint Security metrics are not available #1944

Closed AndersonQ closed 6 months ago

AndersonQ commented 1 year ago

Blocked by https://github.com/elastic/beats/issues/17314

Endpoint security metrics aren't available on the "[Elastic Agent] Agent metrics" dashboard.

For confirmed bugs, please report:

Version: 8.5
Operating System: likely all
Discuss Forum URL: N/A
Steps to Reproduce:
- Add Elastic Defend to a agent policy
- go to "[Elastic Agent] Agent metrics" dashboard
- query elastic_agent.process: endpoint_security
- no metrics are displayed

The following ES query should return results:

GET metrics-elastic_agent.elastic_agent-default/_search
{
  "query": {
    "bool": {
      "must": [
        {
          "term": {
            "elastic_agent.process": {
              "value": "endpoint_security"
            }
          }
        }
      ]
    }
  }
}

cmacknz commented 1 year ago

I suspect part of the problem with this is that the agent doesn't have the privileges needed to monitor the endpoint process, which rather than being a child process of the agent is installed as a separate service. It is run as a protected service on Windows for example.

joshdover commented 1 year ago

We should consider this limitation when designing a better metrics system. IMO sub-processes should push metrics over the gRPC protocol to avoid additional connection paths / points of failure.

cmacknz commented 1 year ago

Endpoint/Defend does report detailed metrics about itself to Elasticsearch separate from agent: https://docs.elastic.co/en/integrations/endpoint#metrics

They just aren't available in the Fleet UI.

gabriellandau commented 1 year ago

I suspect part of the problem with this is that the agent doesn't have the privileges needed to monitor the endpoint process

Task Manager and Process Explorer are able to monitor Endpoint's CPU and memory usage. Perhaps it's an issue of requested access rights? The solution might be to request PROCESS_QUERY_LIMITED_INFORMATION instead of PROCESS_QUERY_INFORMATION, for example.

jlind23 commented 6 months ago

After chatting with @pierrehilbert closing this in favour of Agent should collect and report CPU and memory usage of service runtime components #4083