Cisco Umbrella logs ingestion - Elastic Cloud


I started Elastic Cloud service trial period. I want to ingest Cisco Umbrella logs using Cisco Umbrella integration. Documentation says, that I have to install Elastic Agent in order to ship the logs (logs from self-managed S3 bucket).

I assume Elastic Agent should be installed on Elastic instance. How can I install Elastic Agent if the Elastic deployment is not self-hosted? Or is there something what I missunderstand?

No The Elastic Agent should be on a VM / Ec2 instance in your environment that can access that S3 Bucket.

S3 Bucket -> Elastic Agent (in your VPC / EC2) -> Elastic Cloud

At some point in the future we may have a hosted agent

Thank you @stephenb

Can you tell me what else, except installing the Elastic Agent on EC2 instance, should be configured to successfuly receive logs from self-managed S3 bucket?

I am interested in S3 pooling method. I installed the integration:

  • queue URL - here I put the bucket ARN as field description suggests
  • Access Key ID - IAM user who has permissions to read from S3 bucket
  • Secret Access Key - as above

Anything should be configured on EC2 after installing the agent? I am not receiving any data. Outboud network communication is allowed.

Thank you!

Issue resolved. I reconfigured the integration and logs are successfully shipped. No additional configuration on EC2 was needed.

Thank you.

But I have one more question. I have a gap in logs between 30.03 and 04.04:

How can I investigate what caused this gap? How can I enforce to pull the missing logs from S3 buckets? (there are in S3 for sure, there are just missing in Elastic)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.