Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Raspberry PI bookworm - Degraded. #518

Open
mikev1963 opened this issue Apr 29, 2024 · 7 comments
Open

Raspberry PI bookworm - Degraded. #518

mikev1963 opened this issue Apr 29, 2024 · 7 comments
Labels
Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Comments

@mikev1963
Copy link

After installing the elastic agent on a Raspberry pi 4/5 I get the following errors:

"@timestamp":"2024-04-29T16:41:38.70703445Z","agent":{"id":"f21a6f26-802c-48ec-91dc-3be609a9fe00","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"warning","origin":{"file":{"line":491,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:491 Endpoint is setting status to DEGRADED, reason: Policy Application Status","process":{"pid":9828,"thread":{"id":13091}}}
{"@timestamp":"2024-04-29T16:41:58.707882573Z","agent":{"id":"f21a6f26-802c-48ec-91dc-3be609a9fe00","type":"endpoint"},"ecs":{"version":"8.10.0"},"log":{"level":"warning","origin":{"file":{"line":491,"name":"AgentContext.cpp"}}},"message":"AgentContext.cpp:491 Endpoint is setting status to DEGRADED, reason: Policy Application Status","process":{"pid":9828,"thread":{"id":13091}}}

This only happens on the Raswpberry PI. I have other Ubuntu servers running x86 that work fine.

Any help on this agent would be great. Thanks
@ycombinator ycombinator added Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team Team:Elastic-Agent Label for the Agent team labels Apr 29, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

@elasticmachine
Copy link
Contributor

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

@pierrehilbert
Copy link

Hello @mikev1963
What is your Elastic Agent version?
cc @nfritts as you maybe know some limitation on Raspberry Pi

@mikev1963
Copy link
Author

My version is elastic-agent-8.13.2-linux-arm64.tar.gz

@pshef
Copy link

pshef commented May 24, 2024

I'm getting the same error on Bookworm using elastic-agent-8.10.4-linux-arm64.tar.gz.

[elastic_agent][debug] observed check-in for endpoint service: token:"bfabd6a0-08bd-4034-ac59-10de663d93f1" units:{id:"endpoint-default-6fb1c193-fcab-4dbc-8e95-e4aebadc0863" config_state_idx:1 state:DEGRADED message:"Applied policy {6fb1c193-fcab-4dbc-8e95-e4aebadc0863}" payload:{fields:{key:"error" value:{struct_value:{fields:{key:"code" value:{number_value:0}} fields:{key:"message" value:{string_value:"Success"}}}}}}} units:{id:"endpoint-default" type:OUTPUT config_state_idx:1 state:DEGRADED message:"Applied policy {6fb1c193-fcab-4dbc-8e95-e4aebadc0863}" payload:{fields:{key:"error" value:{struct_value:{fields:{key:"code" value:{number_value:0}} fields:{key:"message" value:{string_value:"Success"}}}}}}} version_info:{name:"Endpoint" version:"8.10.4"} features:{source:{fields:{key:"agent" value:{struct_value:{fields:{key:"features" value:{struct_value:{fields:{key:"fqdn" value:{struct_value:{fields:{key:"enabled" value:{bool_value:false}}}}}}}}}}}} fqdn:{}} features_idx:2

Not sure if this is relevant, but I did see another couple errors:

[elastic_agent.endpoint_security][debug] Tux_Fanotify.cpp:968 Failed to fanotify_mark mount 559 23 179:2 /usr/bin/runc /run/docker/runtime-runc/moby/381a3b6dc4198bf3ba78d4e009f7d6d261f66a3b1aba2f15e7319bf91b97eccd/runc.SNyLFm ro,noatime shared:1 - ext4 /dev/mmcblk0p2 rw

[elastic_agent.endpoint_security][info] FileEventEnrich.cpp:126 Enriching File event failed to retrieve process (26323) from cache

Other integrations I have enabled (Osquery, System, and File Integrity Monitor) are working fine. In the agent's Integrations section, the failed Elastic Defend policy responses are:

  • Malicious Behavior
    • Configure Process Events
  • Malware
    • Detect Process Events
  • Events
    • Detect Process Events
    • Configure Process Events
  • Memory Threat
    • Configure Process Events
    • Detect Process Events

All have the message "Failure enabling process events; current state is disabled."

I'm chalking it up to it being ARM, but figured I'd chime in in case there's anything I can do to help.

@professor-moody
Copy link

I'm seeing the same thing :(

Curious if anyone has made progress here

@cmacknz cmacknz transferred this issue from elastic/elastic-agent Jul 2, 2024
@nicholasberlin
Copy link
Contributor

@pshef

We support ARM on 5.4+ kernels for recent Ubuntu, SLES, CentOS/RHEL distros.
We don't support Raspberry pis ... though that doesn't mean it won't work.

Based on:

"Failure enabling process events; current state is disabled."

That means endpoint wasn't able to install event sources, either tracefs based kprobes or ebpf probes.

What kernel version is running? Does the kernel support eBPF, if so does it have btf exported?

You could request a diagnostic package from the Fleet / Agents tab and upload it below.

https://upload.elastic.co/u/7c411cf8-3fb5-4044-ac02-973616fb2ed5 (<--- expires in 7 days)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ycombinator @pierrehilbert @mikev1963 @elasticmachine @nicholasberlin @professor-moody @pshef