Does Endpoint Security replace Winlogbeat?

At the risk of asking something completely stupid, does the Endpoint Security Agent replace Winlogbeats?

I've been shipping workstation / server MS event logs including Sysmon via Winlogbeats for a while now, and I think the new Endpoint Security Agent replaces that approach although it doesn't appear to be as easy to 'Discover' the underlying agent data.

Again. sorry if this is a stupid question. If someone could confirm it would be helpful. If the new endpoint agent doesn't replace, what's the overlap?

Thanks in advance.

Not currently. The default install is only Filebeat and Metricbeat both of which feed a hidden index that I agree is very hard to get to currently. I actually asked the same thing. If there is a way to see or please share.

Maybe down the road but with how custom winlogbeat is to each site it would take a considerable amount of work to allow the customization with a clean integration. I for one would love to see a 1 stop shop. Makes it far less or a pain to manage the dozen or so different configs running around.

The Elastic Agent will also run Winlogbeat as an input so you can use it like all the Filebeat inputs today in the future. There might be overlap between endpoint and Winlogbeat data but currently there is no plan that one replaces the other.

Can you share a bit around the part that the data is not discoverable? Are you running Endpoint with the Elastic Agent?

Do you mean what data is missing in the Endpoint logs compared to Winlogbeat? Well, I'd say the actual event logs. Consider a Winlogbeat running on a Domain Controller, collecting things like user/group changes, ntlm/kerberos event details etc. Or a VPN or MSSQL Server that creates Windows event logs. Those are not captured by the Endpoint agent, or at least not on that high level.
Many publically available detection rules (e.g. from the Sigma project) rely on Windows Event codes for detection, and probably can't use Elastic Endpoint data instead.

With my discoverable question I was pointing to the above. What you mean by hard to get to?

@nemhods Windows event logs are on the roadmap for Elastic Agent (with Winlogbeat) so I think we are in agreement, it is needed.

To those of us that have pre exisiting dashboards for metricbeat and filebeat we now have data in two spots not the most ideal situation when you have raw tables being presented.

By hidden I know I ran into a few issues on 7.9.0 right after it came out trying to get Kibana to even create an index pattern so I could see the data 7.9.1 resolved it. Just a bit of a nuisance having to add the index manually.

I did see a new one metric-* get auto created in 7.9.1 which makes life a little easier minus the duplicate fields...

Now we just need a version of the agent that doesn't spam degraded messages endlessly. 7.9.1 still does it but at a less frequent rate now. It's looking promising!

I'm with @OntheHighSeas can't wait for the WinLogBeat to be part of it. An all in 1 install would make roll out a lot easier. Just hope we get to keep the customization options we have. Like an Easy/Advanced mode options menu. Would really hate to have to limit the machines that send logs due to unused ones being sent.

I hoped we solved most issues around the "spamming" of degraded messages. Could you share a screenshot by chance on what you see?

The winlog input in Agent was already available in master and should become available in 7.10. Let me know if you are interested to try it out, happy to share a snapshot build (not stable and not for production of course :wink: ).

I'll will gladly try out 7.10 agent :slight_smile: -). I have several test machines I've been using. The spam was a know bug and is over on Git as well as some of the post here. For a first widely public roll out it wasn't bad. The changes between the two version isn't drastic but it's better. You can see my other rather long post Endpoint 7.9 "Degraded and dashboards" over here.

The agent it's self still needs some work and the elastic-endpoint well that needs a lot of work still. But you've already gone a full minor version change in a very short time. Now only if Microsoft could fix bugs that fast...

Hi @PublicName. You can find SNAPSHOT assets here: I assume I don't need to emphasise that these are snapshot builds :wink:

Yeah, we keep iterating quickly to improve it and make it more stable. I really appreciate all your feedback and help on making it better! Thank you!