Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

system.security dataset is not generated for Windows agent installed with unprivileged flag. #4647

Closed
amolnater-qasource opened this issue May 1, 2024 · 11 comments · Fixed by elastic/ingest-docs#1087
Closed

system.security dataset is not generated for Windows agent installed with unprivileged flag. #4647

amolnater-qasource opened this issue May 1, 2024 · 11 comments · Fixed by elastic/ingest-docs#1087
Assignees
@VihasMakwana
Labels
bug Something isn't working impact:medium QA:Ready For Testing Code is merged and ready for QA to validate Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Comments

@amolnater-qasource
Copy link

Kibana Build details:

VERSION: 8.14.0 BC2
BUILD: 73626
COMMIT: bcf6960778ae270d0894a8aab07f10197ee9b97f

Preconditions:

  1. 8.14.0-BC2 Kibana cloud environment should be available.
  2. Agent should be installed with unprivileged flag.

Steps to reproduce:

  1. Navigate to Data Streams tab.
  2. Observe logs for system integration and system.security dataset is not generated.

Expected Result:
system.security dataset should be generated for Windows agent installed with unprivileged flag.

What's working fine:

  • system.security dataset is generated for Windows agent installed without unprivileged flag.

Screenshot:
image
@amolnater-qasource amolnater-qasource added bug Something isn't working Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team impact:medium labels May 1, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@amolnater-qasource
Copy link
Author

@karanbirsingh-qasource Please review.

@ghost
Copy link

ghost commented May 1, 2024

secondary review is done

@cmacknz
Copy link
Member

cmacknz commented May 1, 2024

I suspect this will be related to the permissions of the new unprivileged user.

Can you upload diagnostics when this happens?

@leehinman
Copy link
Contributor

odds are really good that the new unprivileged user needs to be a member of the "Event Log Readers" group.

@blakerouse
Copy link
Contributor

It was agreed that the Administrator performing the installation will add the elastic-agent-user to the groups that they want the Elastic Agent to have access to.

I don't know exactly which group is needed to read that data, so I would try @leehinman suggestion.

@amolnater-qasource
Copy link
Author

Hi Team,

Thank you for looking into this issue.

Please find below agent diagnostics for the installed agent:
elastic-agent-diagnostics-2024-05-02T06-10-30Z-00.zip

Please let us know if anything else is required from our end.
Thanks!!

@nimarezainia
Copy link
Contributor

It was agreed that the Administrator performing the installation will add the elastic-agent-user to the groups that they want the Elastic Agent to have access to.

I don't know exactly which group is needed to read that data, so I would try @leehinman suggestion.

@blakerouse are there any other steps during installation that the user needs to perform? not just for this issue but generally speaking. I want to make sure we can comprehensively document these.

cc: @kilfoyle

@ycombinator
Copy link
Contributor

@amolnater-qasource Did you get a chance to try @leehinman's suggestion? If it works, we can document it as a pre-requisite for running Agent in unprivileged mode.

@ycombinator
Copy link
Contributor

@nimarezainia @blakerouse @kilfoyle I've created #4705 to start collecting in a single place all prerequisites required for successfully running Agent in unprivileged mode. @blakerouse could you please populate the table in that issue as you discover prerequisites? @kilfoyle your call on how best to take the information in that table and present it in our user-facing documentation. Thanks!

@nimarezainia
Copy link
Contributor

thank you @ycombinator. We would need instructions on how the user could change the privilege level (that are OS specific) for some of the major operating systems.

the use case: In Fleet, we inform the user that an input is not working due to privilege. The idea was to provide them some instructions on how to change the priv level to be able to read the data source.

@ycombinator ycombinator mentioned this issue May 9, 2024
Closed
This was referenced May 24, 2024
Closed
Closed
@ycombinator ycombinator assigned nchaulet and unassigned kaanyalti Jun 12, 2024
@ycombinator ycombinator assigned VihasMakwana and unassigned nchaulet Jun 20, 2024
@jlind23 jlind23 mentioned this issue Jun 24, 2024
Merged
@amolnater-qasource amolnater-qasource added the QA:Ready For Testing Code is merged and ready for QA to validate label Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VihasMakwana VihasMakwana

Labels
bug Something isn't working impact:medium QA:Ready For Testing Code is merged and ready for QA to validate Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add steps and details for running 'unprivileged' Elastic Agent kilfoyle/ingest-docs
10 participants
@ycombinator @nchaulet @cmacknz @blakerouse @nimarezainia @elasticmachine @kaanyalti @leehinman @amolnater-qasource @VihasMakwana