Goodmorning,
We have installed elastic-agents throughout our environment with everything setup for filebeat and metricbeat monitoring. Though now I'm trying to figure out how to forward logs to an external SIEM when the elastic-agent can't output to logstash.
Is there a different way of sending logs to our external SIEM other then logstash?
Kind regards,
Fadi
No, right now elastic agent can only output to logstash or Elasticsearch.
Hi, just a small clarification: Currently the centrally managed agents are not able to write to Logstash. This is work in progress. You can however write to Logstash if your agents are self-managed.
Hi, thank you for the quick response. We do use centrally managed agents via fleet. So from what I take it is that right now it is not possible to send logs separately to an external SIEM other then hosting self-managed agents throughout our entire environment?
Is there any ETA on when this will be a possibility?
Hi,
Not entirely;
Sending information from your fleet managed agents can only be done with the output Elasticsearch. However what you can do if you want to forward logs to a secondary solution is
setting up a logstash instance which queries Elasticsearch and have that pipeline output to your external SIEM.
Setup would then look like:
elastic agent --> elasticsearch --> logstash --> external siem
Logstash would use:
Didn't think of that approach yet indeed, thanks for the thought. But we have quite some indexes that would need to get queried every 10 seconds or even more frequent preferably. Don't know how feasable that is?
I did think of another approach which is to install seperate filebeats (for now) which log to logstash. And then logstash only outputs to SIEM.
Don't quite know which is the better option here.
What is your usecase of Elasticsearch? As in what size retention etc are you trying to achieve?
supporting logstash as an output for managed agents is the highest priority for the team.
Once available you should be able to use an output plugin in logstash to create this pipeline (which I believe is your intention):
elastic-agent --> Logstash ----+----> external siem
|
+---> Elasticsearch
Thank you for the response, we'll await this solution then. Should be the best solution for this. Also for message queuing and grok operations (which you don't want on the elastic nodes themselves or the host servers).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.