[Agent] Setting the Agent Log level in UI isn't being sent to Elastic-Security Endpoint yaml so it keeps logging at Info

[EricDavisX]

[Agent] Setting the Agent Log level in UI isn't being sent to Elastic-Security Endpoint yaml so it keeps logging at Info

I'm testing with 7.11 BC5 that was compiled on Jan 26/27

• I set up cloud-prod deploy of stack.
• I install Agent with Default policy to Windows 2012, all works fine.
• I set Agent to a new policy with Endpoint in it, all works fine - except I see some 'debug' error logs from Endpoint which Dan reports as expected, until Endpoint picks up the Agent log level after initial connection
• I set the log level to 'error' and find a minute later it is respected by Agent, and Beats, but not by Endpoint. Endpoint continues to send Info+ level logs.

I pinged Ferullo and he requested the elastic-endpoint.yaml (attached in zip) which shows the log level is 'info' so it isn't getting updated by Agent.
yaml files:
yaml-files.zip

• I have also attached the fleet and agent yaml files from the Agent folder.

excerpt of elastic-endpoint.yaml:

fleet:
  agent:
    id: b13f5240-60bb-11eb-afd7-b56fbe435287
    logging:
      level: info

screenshot:

Is there a mis-understanding in the design? I'm not sure if this setting is updated only in running memory of the Agent / Endpoint / Beats, because the Elastic Agent yaml has the level set to 'info' as well, which is consistent, but very confusing since it seems to be working.

[elasticmachine]

Pinging @elastic/agent (Team:Agent)

[EricDavisX]

@michalpristas was this a feature we worked together, not sure if you want to take a look - i submit we do not need it for 7.11

[EricDavisX]

I forgot that the 'elastic-agent' yaml indicating that 'fleet' is in use means we should check the fleet.yaml. which I included. it shows:
agent:
id: b13f5240-60bb-11eb-afd7-b56fbe435287
logging.level: error

so that explains why the agent side is working.

[EricDavisX]

My opinion: Depending on the work for this we could consider merging it after 'feature freeze' as a bug - but let us confirm what the changes look like first.

[ph]

@michalpristas @EricDavisX this should be fixed correct?

[EricDavisX]

@dikshachauhan-qasource @amolnater-qasource can you run testing over this in BC2 7.12 code and update test suites to include Endpoint log level setting now please? It will also be in the next 7.11.X patch, so updating that label too. @ph thanks for tracking it with us.

I did a 3 min test and it seems to be working!

[dikshachauhan-qasource]

Hi @EricDavisX

We have validated this issue and found it working fine on 7.12 BC2 Kibana cloud build. Build details are as follows:

BUILD 39000
COMMIT 4f65a5a1268fa78f1af9117d12312e1cee433376
Artifact link: https://staging.elastic.co/7.12.0-37f40745/downloads/beats/elastic-agent/elastic-agent-7.12.0-darwin-x86_64.tar.gz

Observations: Agent log level setting are now applicable on endpoint security logs.

Screenshot:

Thanks
QAS

[dikshachauhan-qasource]

Hi @EricDavisX

As per feedback in above comment, we have created 01 testcase for Agent Log level applicable an Endpoint-Security scenario. Test case link is as follows:

C76827

Please let us know if anything is missing.

Thanks
QAS