`system.security` dataset is not generated for Windows agent installed with unprivileged flag.

Question

`system.security` dataset is not generated for Windows agent installed with unprivileged flag.

amolnater-qasource opened this issue a month ago · comments

Kibana Build details:

VERSION: 8.14.0 BC2
BUILD: 73626
COMMIT: bcf6960778ae270d0894a8aab07f10197ee9b97f

Preconditions:

8.14.0-BC2 Kibana cloud environment should be available.
Agent should be installed with unprivileged flag.

Steps to reproduce:

Navigate to Data Streams tab.
Observe logs for system integration and system.security dataset is not generated.

Expected Result:
system.security dataset should be generated for Windows agent installed with unprivileged flag.

What's working fine:

system.security dataset is generated for Windows agent installed without unprivileged flag.

Screenshot:

Elastic Machine · Answer 1 · Wed May 01 2024 20:08:35 GMT+0800 (China Standard Time)

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

Amol Nater · Answer 2 · Wed May 01 2024 20:08:47 GMT+0800 (China Standard Time)

@karanbirsingh-qasource Please review.

karanbir singh · Answer 3 · Wed May 01 2024 20:09:54 GMT+0800 (China Standard Time)

secondary review is done

Craig MacKenzie · Answer 4 · Thu May 02 2024 01:46:57 GMT+0800 (China Standard Time)

I suspect this will be related to the permissions of the new unprivileged user.

Can you upload diagnostics when this happens?

Lee E Hinman · Answer 5 · Thu May 02 2024 02:04:31 GMT+0800 (China Standard Time)

odds are really good that the new unprivileged user needs to be a member of the "Event Log Readers" group.

Blake Rouse · Answer 6 · Thu May 02 2024 02:43:31 GMT+0800 (China Standard Time)

It was agreed that the Administrator performing the installation will add the elastic-agent-user to the groups that they want the Elastic Agent to have access to.

I don't know exactly which group is needed to read that data, so I would try @leehinman suggestion.

Amol Nater · Answer 7 · Thu May 02 2024 15:47:56 GMT+0800 (China Standard Time)

Hi Team,

Thank you for looking into this issue.

Please find below agent diagnostics for the installed agent:
elastic-agent-diagnostics-2024-05-02T06-10-30Z-00.zip

Please let us know if anything else is required from our end.
Thanks!!

nima · Answer 8 · Thu May 02 2024 18:59:22 GMT+0800 (China Standard Time)

It was agreed that the Administrator performing the installation will add the elastic-agent-user to the groups that they want the Elastic Agent to have access to.

I don't know exactly which group is needed to read that data, so I would try @leehinman suggestion.

@blakerouse are there any other steps during installation that the user needs to perform? not just for this issue but generally speaking. I want to make sure we can comprehensively document these.

cc: @kilfoyle

Shaunak Kashyap · Answer 9 · Wed May 08 2024 19:20:05 GMT+0800 (China Standard Time)

@amolnater-qasource Did you get a chance to try @leehinman's suggestion? If it works, we can document it as a pre-requisite for running Agent in unprivileged mode.

Shaunak Kashyap · Answer 10 · Wed May 08 2024 19:27:29 GMT+0800 (China Standard Time)

@nimarezainia @blakerouse @kilfoyle I've created #4705 to start collecting in a single place all prerequisites required for successfully running Agent in unprivileged mode. @blakerouse could you please populate the table in that issue as you discover prerequisites? @kilfoyle your call on how best to take the information in that table and present it in our user-facing documentation. Thanks!

nima · Answer 11 · Thu May 09 2024 11:36:32 GMT+0800 (China Standard Time)

thank you @ycombinator. We would need instructions on how the user could change the privilege level (that are OS specific) for some of the major operating systems.

the use case: In Fleet, we inform the user that an input is not working due to privilege. The idea was to provide them some instructions on how to change the priv level to be able to read the data source.