Do we have to install new agent for every new host for Fleet

I was currently exploring regarding elasticsearch fleet and I set up a basic fleet server and a enrolled an elastic-agent on one machine, for example, "machine-A" with a agent policy: "p1", Agent policy p1 is configured with one integration "system". I was able to collect it's logs on configured output.

Our requirement is to use integration for Barracauda Firewall. Fleet provides integration for this. My query is that in order to configure this, do I need to setup a separate agent on a separate machine and add provide a policy which includes Barracauda integration or I can use the current machine-A where already one elastic agent is running and update its policy to add Barracauda integration ?

While configuring Barracauda Firewall integration, it asks for certain parameters like ip, port etc.. details, so do I need to add Barracauda machine details there ?

A policy can have 1 to Many integrations.

1 Fleet to 1 to Many Agents
1 Agent to 1 policy
1 Policy to 1 to Many Integrations

No, this integration as many other integrations like Fortigate, Palo Alto, Cisco etc, will act as a Syslog server, it will listen for events on TCP or UDP, so the IP and Port here are the IP and Port that the Agent will bind itself to listen for events.

Normally you choose a port and set the IP as to bind to all available IPs on the host.

Then on your Firewall you will configure it to send logs to this IP and Port as you were configuring it to send logs to a Syslog server.

Unfortunatelly the documentation for a lot of integrations is not good and lack explanation of what you need to configure and why.

In this case I would set up a completely different agent for integrations that listen or pool for data like the Barracuda and other network devices, or integrations that query SaaS APIs.

For example if you add the Barracuda integration on the same policy where you have the system integration to collect logs from some server, and then you want to add 10 more servers, you will have 10 servers also running the Barracuda integration listening to events, but your Firewall is configured to send logs for just one of them.

The best approach is to have different policies for integrations that can be applied to multiple machines and integrations that receives logs from network devices or query API endpoints.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.