Open mikev1963 opened 2 months ago
Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)
Pinging @elastic/elastic-agent (Team:Elastic-Agent)
Hello @mikev1963 What is your Elastic Agent version? cc @nfritts as you maybe know some limitation on Raspberry Pi
My version is elastic-agent-8.13.2-linux-arm64.tar.gz
I'm getting the same error on Bookworm using elastic-agent-8.10.4-linux-arm64.tar.gz
.
[elastic_agent][debug] observed check-in for endpoint service: token:"bfabd6a0-08bd-4034-ac59-10de663d93f1" units:{id:"endpoint-default-6fb1c193-fcab-4dbc-8e95-e4aebadc0863" config_state_idx:1 state:DEGRADED message:"Applied policy {6fb1c193-fcab-4dbc-8e95-e4aebadc0863}" payload:{fields:{key:"error" value:{struct_value:{fields:{key:"code" value:{number_value:0}} fields:{key:"message" value:{string_value:"Success"}}}}}}} units:{id:"endpoint-default" type:OUTPUT config_state_idx:1 state:DEGRADED message:"Applied policy {6fb1c193-fcab-4dbc-8e95-e4aebadc0863}" payload:{fields:{key:"error" value:{struct_value:{fields:{key:"code" value:{number_value:0}} fields:{key:"message" value:{string_value:"Success"}}}}}}} version_info:{name:"Endpoint" version:"8.10.4"} features:{source:{fields:{key:"agent" value:{struct_value:{fields:{key:"features" value:{struct_value:{fields:{key:"fqdn" value:{struct_value:{fields:{key:"enabled" value:{bool_value:false}}}}}}}}}}}} fqdn:{}} features_idx:2
Not sure if this is relevant, but I did see another couple errors:
[elastic_agent.endpoint_security][debug] Tux_Fanotify.cpp:968 Failed to fanotify_mark mount 559 23 179:2 /usr/bin/runc /run/docker/runtime-runc/moby/381a3b6dc4198bf3ba78d4e009f7d6d261f66a3b1aba2f15e7319bf91b97eccd/runc.SNyLFm ro,noatime shared:1 - ext4 /dev/mmcblk0p2 rw
[elastic_agent.endpoint_security][info] FileEventEnrich.cpp:126 Enriching File event failed to retrieve process (26323) from cache
Other integrations I have enabled (Osquery, System, and File Integrity Monitor) are working fine. In the agent's Integrations section, the failed Elastic Defend policy responses are:
All have the message "Failure enabling process events; current state is disabled."
I'm chalking it up to it being ARM, but figured I'd chime in in case there's anything I can do to help.
I'm seeing the same thing :(
Curious if anyone has made progress here
@pshef
We support ARM on 5.4+ kernels for recent Ubuntu, SLES, CentOS/RHEL distros. We don't support Raspberry pis ... though that doesn't mean it won't work.
Based on:
"Failure enabling process events; current state is disabled."
That means endpoint wasn't able to install event sources, either tracefs based kprobes or ebpf probes.
What kernel version is running? Does the kernel support eBPF, if so does it have btf exported?
You could request a diagnostic package from the Fleet / Agents
tab and upload it below.
https://upload.elastic.co/u/7c411cf8-3fb5-4044-ac02-973616fb2ed5 (<--- expires in 7 days)
After installing the elastic agent on a Raspberry pi 4/5 I get the following errors:
This only happens on the Raswpberry PI. I have other Ubuntu servers running x86 that work fine.
Any help on this agent would be great. Thanks