Can Elastic Security read existing non default pre-existing indices?

We've been using ES for some time and have a number of indices that contain all the data we want to capture from windows hosts and other data sources such as firewalls etc... The reality is that I've already captured everything so i would like to bypass the agents and such entirely if possible since i already have to data in existing indices.
Is this possible? If so how?

Added, i should mention that I've already tried adding the indices to the Elastic Security advanced settings, but no data ever populated the portal site.

Yep, but they need to be in the ECS format to be usable.

And how would i know that they were or were not, or set it to use that format or convert them? Forgive me if that's a dumb question I'm still learning

No worries!

Were these sources captured through modules in the various Beats, or via custom configs?

This was received thru syslog TCP transports using nxlog agent as the source agent on windows hosts to be precise.

Ahh ok, then it's probably not in the ECS format unfortunately :frowning:

I am not super knowledgable on ECS and getting data into that format, so I am not going to be much use there sorry to say.

OK, ill look into seeing if thats something i can convert or take other actions. thanks for the input.

1 Like

Definitely start another topic on that question!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.