[Question]: Standalone agent support with Endpoint Integration.

[harshitgupta-qasource]

Query Description

• Install the standalone agent of Windows and Linux OS with endpoint integration in the policy.

• As per the last information, the standalone agents don't support endpoint integration.

• However, we are getting data for endpoint integration for an installed standalone agent.

Could you please confirm if there are any changes in standalone agents?

Screenshot

• Windows Standalone Agent Datastream.
  

• Linux Standalone Agent Datastream.
  

Build Details

VERSION: 8.7.1
BUILD: 61192
COMMIT: e33260d70181feecc89dc4f623c694856de380d8

Agent Policy:
Policy.zip

[amolnater-qasource]

Secondary review for this ticket is Done.

FYI @cmacknz

[cmacknz]

Was this a Fleet managed agent that was converted to standalone? Was the agent policy here generated with Fleet?

Is endpoint healthy or just sending data? Can you attach agent diagnostics from the standalone agent that is running endpoint security?

I think if you created a policy in Fleet with Elastic Defend installed and then copied it to a standalone agent, then agent would start the endpoint security process. I don't expect that endpoint security would work properly in this case without a connection back to Fleet though.

[harshitgupta-qasource]

Hi @cmacknz

Thanks for looking into this issue.

We have directly installed the standalone agent without converting Fleet based agent.

We have followed

Steps to reproduce

• Create an Agent policy without any integration.
• Add the endpoint Integration to the Agent policy.
• Click on the Add agent and Select standalone agent.
• Download the Agent policy for installing the standalone agent
• Replace the elastic-agent.yml with newly downloaded elastic-agent.yml file.
• Run install command for the standalone agent.

Agent Diagnostics reports

8.7.1 Logs:

elastic-agent-diagnostics-8.7.1.zip

8.2.3

elastic-agent-diagnostics-8.2.3.zip

We also revalidated this issue on 8.2.3 release build and we found that the issue is not occurring on the 8.2.3 release build.

• We are not getting endpoint data under data streams on 8.2.3.

Screenshot

• 8.2.3
  
• 8.7.1
  

Please let us know if anything else is required from our end.

Thanks!

[blakerouse]

I believe that running an Elastic Agent in standalone mode should not even allow endpoint to run. I think we need to add something to the runtime protections for endpoint so it cannot run on a standalone Elastic Agent.

Let me know if they use case has changed and I am unaware.

[cmacknz]

I believe that running an Elastic Agent in standalone mode should not even allow endpoint to run. I think we need to add something to the runtime protections for endpoint so it cannot run on a standalone Elastic Agent.

Let me know if they use case has changed and I am unaware.

Correct, we shouldn't allow it to run. The use case is the same, endpoint should only run when the agent is Fleet managed.

Possibly we lost this in 8.6 when the length(${fleet}) > 0 constraint was dropped from the spec file.

elastic-agent/internal/spec/endpoint.yml

Line 71 in 0e1a739

when: length(${fleet}) > 0 and length(${inputs}) > 0 and hasKey(${output}, 'elasticsearch', 'logstash')

[jlind23]

@harshitgupta-qasource @amolnater-qasource is this issue still happening? If not, I think we can close it.

[harshitgupta-qasource]

Hi Team,

We have re-validated this issue on the latest 8.14.0 BC5 Kibana cloud environment and found it fixed now.

Observations:

• We are not getting endpoint data under data streams for standalone agent on 8.14.0 BC5 Build.

Build details:
VERSION: 8.14.0 BC5
BUILD: 73931
COMMIT: 7ea00b6178d67183a4def9bdd060b062cced043e

Screen-Shot:

Hence, we are closing this issue and marking as QA: Validated.

Thanks.