Skip to content

Commit 8036225

Browse files
benironsidemergify[bot]
benironside
authored and
mergify[bot]
committed
Creates agentless troubleshooting page (#6184)
* create agentless troubleshooting steps * incorporates Omolola's comment * incorporates Nastasha's review and adds serverless version * fixes typo * fix fleet refs * minor edit * incorporates Janeen's review and updates fleet refs in ESS version (cherry picked from commit db188fa) # Conflicts: # docs/serverless/index.asciidoc
1 parent 3a6ea09 commit 8036225

File tree

4 files changed

+298
-0
lines changed

4 files changed

+298
-0
lines changed

docs/getting-started/agentless-troubleshooting.asciidoc

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
[[agentless-integration-troubleshooting]]
2+
= Agentless integrations FAQ
3+
4+
Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration.
5+
6+
[discrete]
7+
== When I make a new integration, when will I see the agent appear on the Integration Policies page?
8+
9+
After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete.
10+
11+
[discrete]
12+
== How do I troubleshoot an `Offline` agent?
13+
14+
For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`.
15+
16+
To troubleshoot this issue:
17+
18+
. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab.
19+
. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again.
20+
21+
NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again.
22+
23+
[discrete]
24+
== How do I troubleshoot an `Unhealthy` agent?
25+
26+
On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent:
27+
28+
* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials:
29+
+
30+
```
31+
[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX
32+
```
33+
34+
For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting].
35+
36+
[discrete]
37+
== How do I delete an agentless integration?
38+
39+
NOTE: Deleting your integration will remove all associated resources and stop data ingestion.
40+
41+
When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab.
42+
43+
. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`.
44+
. Go to the CSPM Integration's **Integration policies** tab.
45+
. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**.
46+
. Confirm by clicking **Delete integration** again.
47+

docs/getting-started/index.asciidoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ include::ingest-data.asciidoc[leveloffset=+1]
1414
include::threat-intel-integrations.asciidoc[leveloffset=+2]
1515
include::automatic-import.asciidoc[leveloffset=+2]
1616
include::agentless-integrations.asciidoc[leveloffset=+2]
17+
include::agentless-troubleshooting.asciidoc[leveloffset=+3]
1718

1819
include::security-spaces.asciidoc[leveloffset=+1]
1920

docs/serverless/index.asciidoc

Lines changed: 203 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,203 @@
1+
:doctype: book
2+
3+
include::{asciidoc-dir}/../../shared/versions/stack/master.asciidoc[]
4+
include::{asciidoc-dir}/../../shared/attributes.asciidoc[]
5+
6+
[[what-is-security-serverless]]
7+
== Elastic Security serverless
8+
9+
++++
10+
<titleabbrev>Elastic Security</titleabbrev>
11+
++++
12+
13+
include::./what-is-security-serverless.asciidoc[leveloffset=+2]
14+
15+
include::./security-overview.asciidoc[leveloffset=+2]
16+
17+
include::./billing.asciidoc[leveloffset=+2]
18+
19+
include::./projects-create/create-project.asciidoc[leveloffset=+2]
20+
21+
include::./sec-requirements.asciidoc[leveloffset=+2]
22+
23+
include::./security-ui.asciidoc[leveloffset=+2]
24+
include::./security-spaces.asciidoc[leveloffset=+3]
25+
26+
include::./AI-for-security/ai-for-security-landing-pg.asciidoc[leveloffset=+2]
27+
include::./AI-for-security/ai-assistant.asciidoc[leveloffset=+3]
28+
include::./AI-for-security/knowledge-base.asciidoc[leveloffset=+4]
29+
include::./AI-for-security/attack-discovery.asciidoc[leveloffset=+3]
30+
include::./AI-for-security/llm-connector-guides.asciidoc[leveloffset=+3]
31+
include::./AI-for-security/llm-performance-matrix.asciidoc[leveloffset=+4]
32+
include::./AI-for-security/connect-to-azure-openai.asciidoc[leveloffset=+4]
33+
include::./AI-for-security/connect-to-bedrock.asciidoc[leveloffset=+4]
34+
include::./AI-for-security/connect-to-openai.asciidoc[leveloffset=+4]
35+
include::./AI-for-security/connect-to-vertex.asciidoc[leveloffset=+4]
36+
include::./AI-for-security/connect-to-byo-llm.asciidoc[leveloffset=+4]
37+
include::./AI-for-security/ai-use-cases.asciidoc[leveloffset=+3]
38+
include::./AI-for-security/usecase-attack-disc-ai-assistant-incident-reporting.asciidoc[leveloffset=+4]
39+
include::./AI-for-security/ai-assistant-alert-triage.asciidoc[leveloffset=+4]
40+
include::./AI-for-security/ai-assistant-esql-queries.asciidoc[leveloffset=+4]
41+
42+
include::./ingest/ingest-data.asciidoc[leveloffset=+2]
43+
include::./ingest/threat-intelligence.asciidoc[leveloffset=+3]
44+
include::./ingest/auto-import.asciidoc[leveloffset=+3]
45+
include::./ingest/agentless-integrations.asciidoc[leveloffset=+3]
46+
include::./ingest/agentless-troubleshooting.asciidoc[leveloffset=+4]
47+
48+
include::./edr-install-config/endpoint-protection-intro.asciidoc[leveloffset=+2]
49+
include::./edr-install-config/deploy-endpoint-reqs.asciidoc[leveloffset=+3]
50+
include::./edr-install-config/install-elastic-defend.asciidoc[leveloffset=+3]
51+
include::./edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc[leveloffset=+4]
52+
include::./edr-install-config/deploy-endpoint-macos-ven.asciidoc[leveloffset=+4]
53+
include::./edr-install-config/deploy-with-mdm.asciidoc[leveloffset=+4]
54+
include::./edr-install-config/agent-tamper-protection.asciidoc[leveloffset=+4]
55+
include::./edr-install-config/defend-feature-privs.asciidoc[leveloffset=+3]
56+
include::./edr-install-config/configure-endpoint-integration-policy.asciidoc[leveloffset=+3]
57+
include::./edr-install-config/artifact-control.asciidoc[leveloffset=+4]
58+
include::./edr-install-config/endpoint-diagnostic-data.asciidoc[leveloffset=+4]
59+
include::./edr-install-config/self-healing-rollback.asciidoc[leveloffset=+4]
60+
include::./edr-install-config/linux-file-monitoring.asciidoc[leveloffset=+4]
61+
include::./edr-install-config/endpoint-data-volume.asciidoc[leveloffset=+4]
62+
include::./edr-install-config/uninstall-agent.asciidoc[leveloffset=+3]
63+
64+
include::./edr-manage/manage-endpoint-protection.asciidoc[leveloffset=+2]
65+
include::./edr-manage/endpoints-page.asciidoc[leveloffset=+3]
66+
include::./edr-manage/policies-page-ov.asciidoc[leveloffset=+3]
67+
include::./edr-manage/trusted-apps-ov.asciidoc[leveloffset=+3]
68+
include::./edr-manage/event-filters.asciidoc[leveloffset=+3]
69+
include::./edr-manage/host-isolation-exceptions.asciidoc[leveloffset=+3]
70+
include::./edr-manage/blocklist.asciidoc[leveloffset=+3]
71+
include::./edr-manage/optimize-edr.asciidoc[leveloffset=+3]
72+
include::./edr-manage/endpoint-event-capture.asciidoc[leveloffset=+3]
73+
include::./edr-manage/allowlist-endpoint-3rd-party-av.asciidoc[leveloffset=+3]
74+
include::./edr-manage/endpoint-self-protection.asciidoc[leveloffset=+3]
75+
include::./edr-manage/endpoint-command-ref.asciidoc[leveloffset=+3]
76+
77+
include::./endpoint-response-actions/response-actions.asciidoc[leveloffset=+2]
78+
include::./endpoint-response-actions/automated-response-actions.asciidoc[leveloffset=+3]
79+
include::./endpoint-response-actions/host-isolation-ov.asciidoc[leveloffset=+3]
80+
include::./endpoint-response-actions/response-actions-history.asciidoc[leveloffset=+3]
81+
include::./endpoint-response-actions/third-party-actions.asciidoc[leveloffset=+3]
82+
include::./endpoint-response-actions/response-actions-config.asciidoc[leveloffset=+3]
83+
84+
include::./cloud-native-security/cloud-native-security-overview.asciidoc[leveloffset=+2]
85+
include::./cloud-native-security/security-posture-management.asciidoc[leveloffset=+3]
86+
include::./cloud-native-security/enable-cloudsec.asciidoc[leveloffset=+3]
87+
include::./cloud-native-security/cspm.asciidoc[leveloffset=+3]
88+
include::./cloud-native-security/cspm-get-started.asciidoc[leveloffset=+4]
89+
include::./cloud-native-security/cspm-get-started-gcp.asciidoc[leveloffset=+4]
90+
include::./cloud-native-security/cspm-get-started-azure.asciidoc[leveloffset=+4]
91+
include::./cloud-native-security/cspm-findings-page.asciidoc[leveloffset=+4]
92+
include::./cloud-native-security/benchmark-rules.asciidoc[leveloffset=+4]
93+
include::./cloud-native-security/cspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4]
94+
include::./cloud-native-security/cspm-security-posture-faq.asciidoc[leveloffset=+4]
95+
include::./cloud-native-security/kspm.asciidoc[leveloffset=+3]
96+
include::./cloud-native-security/get-started-with-kspm.asciidoc[leveloffset=+4]
97+
include::./cloud-native-security/kspm-cspm-findings-page.asciidoc[leveloffset=+4]
98+
include::./cloud-native-security/kspm-benchmark-rules.asciidoc[leveloffset=+4]
99+
include::./cloud-native-security/kspm-cloud-posture-dashboard-dash.asciidoc[leveloffset=+4]
100+
include::./cloud-native-security/security-posture-faq.asciidoc[leveloffset=+4]
101+
include::./cloud-native-security/vuln-management-overview.asciidoc[leveloffset=+3]
102+
include::./cloud-native-security/vuln-management-get-started.asciidoc[leveloffset=+4]
103+
include::./cloud-native-security/vuln-management-findings.asciidoc[leveloffset=+4]
104+
include::./cloud-native-security/vuln-management-dashboard-dash.asciidoc[leveloffset=+4]
105+
include::./cloud-native-security/vuln-management-faq.asciidoc[leveloffset=+4]
106+
include::./cloud-native-security/d4c-overview.asciidoc[leveloffset=+3]
107+
include::./cloud-native-security/d4c-get-started.asciidoc[leveloffset=+4]
108+
include::./cloud-native-security/d4c-policy-guide.asciidoc[leveloffset=+4]
109+
include::./cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc[leveloffset=+4]
110+
include::./cloud-native-security/cloud-workload-protection.asciidoc[leveloffset=+3]
111+
include::./cloud-native-security/environment-variable-capture.asciidoc[leveloffset=+4]
112+
include::./cloud-native-security/ingest-cncf-data.asciidoc[leveloffset=+3]
113+
include::./cloud-native-security/falco-setup.asciidoc[leveloffset=+4]
114+
include::./cloud-native-security/aws-securityhub.asciidoc[leveloffset=+4]
115+
include::./cloud-native-security/wiz.asciidoc[leveloffset=+4]
116+
117+
include::./explore/explore-your-data.asciidoc[leveloffset=+2]
118+
include::./explore/hosts-overview.asciidoc[leveloffset=+3]
119+
include::./explore/network-page-overview.asciidoc[leveloffset=+3]
120+
include::./explore/conf-map-ui.asciidoc[leveloffset=+4]
121+
include::./explore/users-page.asciidoc[leveloffset=+3]
122+
include::./explore/data-views-in-sec.asciidoc[leveloffset=+3]
123+
include::./explore/runtime-fields.asciidoc[leveloffset=+3]
124+
include::./explore/siem-field-reference.asciidoc[leveloffset=+3]
125+
126+
include::./dashboards/dashboards-overview.asciidoc[leveloffset=+2]
127+
include::./dashboards/overview-dashboard.asciidoc[leveloffset=+3]
128+
include::./dashboards/detection-response-dashboard.asciidoc[leveloffset=+3]
129+
include::./dashboards/kubernetes-dashboard-dash.asciidoc[leveloffset=+3]
130+
include::./dashboards/cloud-posture-dashboard-dash.asciidoc[leveloffset=+3]
131+
include::./dashboards/detection-entity-dashboard.asciidoc[leveloffset=+3]
132+
include::./dashboards/data-quality-dash.asciidoc[leveloffset=+3]
133+
include::./dashboards/vuln-management-dashboard-dash.asciidoc[leveloffset=+3]
134+
include::./dashboards/rule-monitoring-dashboard.asciidoc[leveloffset=+3]
135+
136+
include::./rules/detection-engine-overview.asciidoc[leveloffset=+2]
137+
include::./rules/detections-permissions-section.asciidoc[leveloffset=+3]
138+
139+
include::./rules/about-rules.asciidoc[leveloffset=+2]
140+
include::./rules/rules-ui-create.asciidoc[leveloffset=+3]
141+
include::./rules/interactive-investigation-guides.asciidoc[leveloffset=+4]
142+
include::./rules/building-block-rule.asciidoc[leveloffset=+4]
143+
include::./rules/prebuilt-rules/prebuilt-rules-management.asciidoc[leveloffset=+3]
144+
include::./rules/rules-ui-management.asciidoc[leveloffset=+3]
145+
include::./rules/alerts-ui-monitor.asciidoc[leveloffset=+3]
146+
include::./rules/detections-ui-exceptions.asciidoc[leveloffset=+3]
147+
include::./rules/value-lists-exceptions.asciidoc[leveloffset=+4]
148+
include::./rules/add-exceptions.asciidoc[leveloffset=+4]
149+
include::./rules/shared-exception-lists.asciidoc[leveloffset=+4]
150+
include::./rules/rules-coverage.asciidoc[leveloffset=+3]
151+
include::./rules/tuning-detection-signals.asciidoc[leveloffset=+3]
152+
include::./rules/prebuilt-rules/prebuilt-rules.asciidoc[leveloffset=+3]
153+
154+
include::./alerts/alerts-ui-manage.asciidoc[leveloffset=+2]
155+
include::./alerts/visualize-alerts.asciidoc[leveloffset=+3]
156+
include::./alerts/view-alert-details.asciidoc[leveloffset=+3]
157+
include::./alerts/signals-to-cases.asciidoc[leveloffset=+3]
158+
include::./alerts/alert-suppression.asciidoc[leveloffset=+3]
159+
include::./alerts/reduce-notifications-alerts.asciidoc[leveloffset=+3]
160+
include::./alerts/query-alert-indices.asciidoc[leveloffset=+3]
161+
include::./alerts/alert-schema.asciidoc[leveloffset=+3]
162+
163+
include::./advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc[leveloffset=+2]
164+
include::./advanced-entity-analytics/entity-risk-scoring.asciidoc[leveloffset=+3]
165+
include::./advanced-entity-analytics/ers-req.asciidoc[leveloffset=+4]
166+
include::./advanced-entity-analytics/asset-criticality.asciidoc[leveloffset=+4]
167+
include::./advanced-entity-analytics/turn-on-risk-engine.asciidoc[leveloffset=+4]
168+
include::./advanced-entity-analytics/analyze-risk-score-data.asciidoc[leveloffset=+4]
169+
include::./advanced-entity-analytics/advanced-behavioral-detections.asciidoc[leveloffset=+3]
170+
include::./advanced-entity-analytics/ml-requirements.asciidoc[leveloffset=+4]
171+
include::./advanced-entity-analytics/machine-learning.asciidoc[leveloffset=+4]
172+
include::./advanced-entity-analytics/tuning-anomaly-results.asciidoc[leveloffset=+4]
173+
include::./advanced-entity-analytics/behavioral-detection-use-cases.asciidoc[leveloffset=+4]
174+
include::./advanced-entity-analytics/prebuilt-ml-jobs.asciidoc[leveloffset=+4]
175+
176+
include::./investigate/investigate-events.asciidoc[leveloffset=+2]
177+
include::./investigate/timelines-ui.asciidoc[leveloffset=+3]
178+
include::./investigate/timeline-templates-ui.asciidoc[leveloffset=+4]
179+
include::./investigate/timeline-object-schema.asciidoc[leveloffset=+4]
180+
include::./alerts/visual-event-analyzer.asciidoc[leveloffset=+3]
181+
include::./cloud-native-security/session-view.asciidoc[leveloffset=+3]
182+
include::./osquery/use-osquery.asciidoc[leveloffset=+3]
183+
include::./osquery/osquery-response-action.asciidoc[leveloffset=+4]
184+
include::./osquery/invest-guide-run-osquery.asciidoc[leveloffset=+4]
185+
include::./osquery/alerts-run-osquery.asciidoc[leveloffset=+4]
186+
include::./osquery/view-osquery-results.asciidoc[leveloffset=+4]
187+
include::./osquery/osquery-placeholder-fields.asciidoc[leveloffset=+4]
188+
include::./investigate/add-manage-notes.asciidoc[leveloffset=+3]
189+
include::./investigate/indicators-of-compromise.asciidoc[leveloffset=+3]
190+
include::./investigate/cases-overview.asciidoc[leveloffset=+3]
191+
include::./investigate/case-permissions.asciidoc[leveloffset=+4]
192+
include::./investigate/cases-open-manage.asciidoc[leveloffset=+4]
193+
include::./investigate/cases-settings.asciidoc[leveloffset=+4]
194+
195+
include::./assets/asset-management.asciidoc[leveloffset=+2]
196+
197+
include::./settings/manage-settings.asciidoc[leveloffset=+2]
198+
include::./settings/project-settings.asciidoc[leveloffset=+3]
199+
include::./settings/advanced-settings.asciidoc[leveloffset=+3]
200+
201+
include::./troubleshooting/troubleshooting-intro.asciidoc[leveloffset=+2]
202+
include::./troubleshooting/ts-detection-rules.asciidoc[leveloffset=+3]
203+
include::./troubleshooting/troubleshoot-endpoints.asciidoc[leveloffset=+3]

docs/serverless/ingest/agentless-troubleshooting.asciidoc

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
[[agentless-integration-troubleshooting]]
2+
= Agentless integrations FAQ
3+
4+
Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration.
5+
6+
[discrete]
7+
== When I make a new integration, when will I see the agent appear on the Integration Policies page?
8+
9+
After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete.
10+
11+
[discrete]
12+
== How do I troubleshoot an `Offline` agent?
13+
14+
For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`.
15+
16+
To troubleshoot this issue:
17+
18+
. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab.
19+
. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again.
20+
21+
NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again.
22+
23+
[discrete]
24+
== How do I troubleshoot an `Unhealthy` agent?
25+
26+
On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent:
27+
28+
* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials:
29+
+
30+
```
31+
[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX
32+
```
33+
34+
For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting].
35+
36+
[discrete]
37+
== How do I delete an agentless integration?
38+
39+
NOTE: Deleting your integration will remove all associated resources and stop data ingestion.
40+
41+
When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab.
42+
43+
. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`.
44+
. Go to the CSPM Integration's **Integration policies** tab.
45+
. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**.
46+
. Confirm by clicking **Delete integration** again.
47+

0 commit comments

Comments
 (0)