search

elastic / elastic-agent

Elastic Agent - single, unified way to add monitoring for logs, metrics, and other types of data to a host.
Other
21 stars 144 forks source link

`agentbeat packetbeat` not installing wpcap.dll on first run #6108

Open strawgate opened 1 day ago

strawgate commented 1 day ago

The Agentbeat binary, when run as packetbeat via agentbeat.exe packetbeat ..., does not install the wpcap.dll required to capture network traffic on Windows. This also causes the Network Traffic Capture integration to not send traffic on Agents that weren't previously running a non-Agentbeat version.

Agentbeat 8.16.0 detects no npcap and exits

PS C:\Users\strawgate\Desktop\elastic-agent-8.16.0-windows-x86_64\data\elastic-agent-3f07f2\components> ./agentbeat.exe packetbeat run -c packetbeat.yml -v -e
...
{"log.level":"warn","@timestamp":"2024-11-21T03:16:13.825Z","log.logger":"npcap","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/beater.installNpcap.func1","file.name":"beater/install_npcap.go","file.line":54},"message":"no version available for npcap","service.name":"packetbeat","ecs.version":"1.6.0"}
...
{"log.level":"info","@timestamp":"2024-11-21T03:15:59.574Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).launch","file.name":"instance/beat.go","file.line":713},"message":"packetbeat stopped.","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-11-21T03:15:59.578Z","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1590},"message":"Exiting: failed to get device list: couldn't load wpcap.dll","service.name":"packetbeat","ecs.version":"1.6.0"}
Exiting: failed to get device list: couldn't load wpcap.dll

packetbeat 8.13.0 detects that npcap is missing, installs the npcap dll and runs

PS C:\Users\strawgate\Desktop\elastic-agent-8.13.0-windows-x86_64\data\elastic-agent-1eb18c\components> ./packetbeat.exe -v -e -d *
...
{"log.level":"info","@timestamp":"2024-11-21T03:33:52.146Z","log.logger":"npcap_install","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/npcap.install","file.name":"npcap/npcap.go","file.line":59},"message":"installing Npcap DLL","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-21T03:34:05.412Z","log.logger":"npcap","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/beater.installNpcap.func1","file.name":"beater/install_npcap.go","file.line":56},"message":"npcap version: Npcap version 1.79, based on libpcap version 1.10.4","service.name":"packetbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2024-11-21T03:34:05.413Z","log.origin":{"function":"github.com/elastic/beats/v7/packetbeat/procs.(*ProcessesWatcher).init","file.name":"procs/procs.go","file.line":114},"message":"Process watcher disabled","service.name":"packetbeat","ecs.version":"1.6.0"}

Unhealthy agent from network traffic capture Image

pierrehilbert commented 1 day ago

@blakerouse Do you know what would cause this issue? I thought Agentbeat was starting Packetbeat and therefore we would have the same behavior

amitkanfer commented 1 day ago

more interesting is how this floated around so long w/o us knowing about it... :/