Error Message in Elastic Agent Logs

[jdonovan1013]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

24

Storage for /

100

Storage for /nsm

60

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Working on getting 2.4 up and running. I am noticing that my initial Elastic Agent logs seem to have an error message included in all of the logs. Here are two fields included in the ingested logs:

Field: error.message
failed in Fleet agent final_pipeline: field [created] not present as part of path [event.created]

Field: event.agent_id_status
auth_metadata_missing

The logs otherwise appear to be fairly normal. I can query them, the data appears to be complete. It is possible that I am missing something, but I can't see whether there is anything else wrong with them.

Therefore, I wanted to confirm - Are these error messages expected? I have toyed with a few custom pipelines but currently those changes are removed, so this should be a pretty box-standard implementation at the moment. Is there anything that can be done to prevent these fields on all of the ingested logs?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

That error message is known and should be fixed in the next release of Security Onion #12881.

The error won't affect your grids log ingest. It's just because that event.created field doesn't exist for certain logs and there is a failure pipeline to surface these types of issues by appending it to the log.

[jdonovan1013]

Thank you! Was hoping this was the case.