No Custom Fields - Linux Endpoints #94
Description
Problem Statement
Data stream stops when using Elastic Defend integration in a policy for both windows and linux server. This happens while trying to extract system environment variable to be added as custom field.
Verison Details
Fleet Version : 8.17.0
ES and Kibana: 8.17.1
Details
- We are running a mix of Windows and Linux Servers around 2k in number total.
- All servers running with EA version 8.16.6 on Linux and 8.12.2 on Windows.
- Fleet status healthy for all the EA, registered to one policy with only Elastic Defend integration for Data collection (Not EDR)
- We have enrichment field collection set for both Windows and Linux machines.
- windows.advanced.document_enrichment.fields - Custom.app_id=${env.APPLICATION_ID}
- linux.advanced.document_enrichment.fields - Custom.app_id=${env.APPLICATION_ID}
- EA on Windows reporting the data absolutely fine with enrichment fields, but there is no data coming from Linux EAs.
- Tested adding auditd integration to the same policy and Linux machines started sending data, so there is no network, SSL or connectivity related issues.
- Fleet and Output are reachable from all the endpoints.
Would there be anything strange that might cause this, or someone felt this before ?
There are no errors in the Elastic Agent side.
Only way this could be possible would be in the discussion thread