Elastic Agent (Defender) – Public + On-Prem Deployment Question

Animate4498 · November 18, 2025, 2:28pm

My goal is to deploy the Elastic Agent with the Defender integration as an XDR solution on our clients and forward all security alerts to our on-prem SIEM. Fleet and the rest of the Elastic components are reachable from the office network and through VPN.

The issue: employees are allowed to use their notebooks privately and we have a very flexible home-office policy. Not all work-related resources require a VPN connection.

My question:
Is it possible to configure the Elastic Agent so that it sends data to the internal ingest nodes when the device is on the corporate network, and automatically switches to a public log receiver when it is outside the company network or not connected to VPN?

leandrojmp · November 18, 2025, 2:41pm

Hello and welcome,

You can configure multiple hosts in an output, but the agent will use all of them, so you may have cases where the Agent is on the private network but it is sending logs using the public endpoint.

They would also need to have access to Fleet when not on the private network/VPN, not just the endpoint to send logs.

Topic		Replies	Views
Endpoint Security without using Fleet Endpoint Security fleet	10	2356	November 1, 2021
Get logs from remote devices Elastic Security	4	547	August 25, 2023
Network Desgin Elasticsearch	2	505	September 22, 2017
How do I troubleshoot elastic agent not sending any logs to siem app SIEM	6	1416	November 9, 2021
Endpoint Security agents online but not sending any logs Elastic Security	2	603	November 4, 2022

Elastic Agent (Defender) – Public + On-Prem Deployment Question

Related topics