elasticmachine
commented
2 months ago Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)
Open mikev1963 opened 2 months ago
elasticmachine
commented
2 months ago Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)
elasticmachine
commented
2 months ago Pinging @elastic/elastic-agent (Team:Elastic-Agent)
pierrehilbert
commented
2 months ago Hello @mikev1963 What is your Elastic Agent version? cc @nfritts as you maybe know some limitation on Raspberry Pi
mikev1963
commented
2 months ago My version is elastic-agent-8.13.2-linux-arm64.tar.gz
pshef
commented
1 month ago I'm getting the same error on Bookworm using elastic-agent-8.10.4-linux-arm64.tar.gz.
[elastic_agent][debug] observed check-in for endpoint service: token:"bfabd6a0-08bd-4034-ac59-10de663d93f1" units:{id:"endpoint-default-6fb1c193-fcab-4dbc-8e95-e4aebadc0863" config_state_idx:1 state:DEGRADED message:"Applied policy {6fb1c193-fcab-4dbc-8e95-e4aebadc0863}" payload:{fields:{key:"error" value:{struct_value:{fields:{key:"code" value:{number_value:0}} fields:{key:"message" value:{string_value:"Success"}}}}}}} units:{id:"endpoint-default" type:OUTPUT config_state_idx:1 state:DEGRADED message:"Applied policy {6fb1c193-fcab-4dbc-8e95-e4aebadc0863}" payload:{fields:{key:"error" value:{struct_value:{fields:{key:"code" value:{number_value:0}} fields:{key:"message" value:{string_value:"Success"}}}}}}} version_info:{name:"Endpoint" version:"8.10.4"} features:{source:{fields:{key:"agent" value:{struct_value:{fields:{key:"features" value:{struct_value:{fields:{key:"fqdn" value:{struct_value:{fields:{key:"enabled" value:{bool_value:false}}}}}}}}}}}} fqdn:{}} features_idx:2Not sure if this is relevant, but I did see another couple errors:
[elastic_agent.endpoint_security][debug] Tux_Fanotify.cpp:968 Failed to fanotify_mark mount 559 23 179:2 /usr/bin/runc /run/docker/runtime-runc/moby/381a3b6dc4198bf3ba78d4e009f7d6d261f66a3b1aba2f15e7319bf91b97eccd/runc.SNyLFm ro,noatime shared:1 - ext4 /dev/mmcblk0p2 rw[elastic_agent.endpoint_security][info] FileEventEnrich.cpp:126 Enriching File event failed to retrieve process (26323) from cacheOther integrations I have enabled (Osquery, System, and File Integrity Monitor) are working fine. In the agent's Integrations section, the failed Elastic Defend policy responses are:
All have the message "Failure enabling process events; current state is disabled."
I'm chalking it up to it being ARM, but figured I'd chime in in case there's anything I can do to help.
professor-moody
commented
1 week ago I'm seeing the same thing :(
Curious if anyone has made progress here
nicholasberlin
commented
1 week ago @pshef
We support ARM on 5.4+ kernels for recent Ubuntu, SLES, CentOS/RHEL distros. We don't support Raspberry pis ... though that doesn't mean it won't work.
Based on:
"Failure enabling process events; current state is disabled."
That means endpoint wasn't able to install event sources, either tracefs based kprobes or ebpf probes.
What kernel version is running? Does the kernel support eBPF, if so does it have btf exported?
You could request a diagnostic package from the Fleet / Agents tab and upload it below.
https://upload.elastic.co/u/7c411cf8-3fb5-4044-ac02-973616fb2ed5 (<--- expires in 7 days)
After installing the elastic agent on a Raspberry pi 4/5 I get the following errors:
This only happens on the Raswpberry PI. I have other Ubuntu servers running x86 that work fine.
Any help on this agent would be great. Thanks