Can Elastic Security read existing non default pre-existing indices?

rconroy · August 10, 2021, 2:04pm

Hello
We've been using ES for some time and have a number of indices that contain all the data we want to capture from windows hosts and other data sources such as firewalls etc... The reality is that I've already captured everything so i would like to bypass the agents and such entirely if possible since i already have to data in existing indices.
Is this possible? If so how?
Thanks

Added, i should mention that I've already tried adding the indices to the Elastic Security advanced settings, but no data ever populated the portal site.

warkolm · August 10, 2021, 11:03pm

Yep, but they need to be in the ECS format to be usable.

rconroy · August 10, 2021, 11:15pm

And how would i know that they were or were not, or set it to use that format or convert them? Forgive me if that's a dumb question I'm still learning

warkolm · August 10, 2021, 11:27pm

No worries!

Were these sources captured through modules in the various Beats, or via custom configs?

rconroy · August 10, 2021, 11:39pm

This was received thru syslog TCP transports using nxlog agent as the source agent on windows hosts to be precise.

warkolm · August 10, 2021, 11:42pm

Ahh ok, then it's probably not in the ECS format unfortunately

I am not super knowledgable on ECS and getting data into that format, so I am not going to be much use there sorry to say.

rconroy · August 10, 2021, 11:46pm

OK, ill look into seeing if thats something i can convert or take other actions. thanks for the input.

warkolm · August 10, 2021, 11:49pm

Definitely start another topic on that question!

system · September 7, 2021, 11:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.