Elastic Agent - Windows logs + Tagging

danielsnelling · September 1, 2020, 2:52am

Hi, does anyone know if the Elastic Agent/Ingest Manager will be getting a Winlogbeat integration module?

Currently we are deploying Auditbeat/Filebeat/Metricbeat/Winlogbeat + Sysmon in a MSI bundle, as well as a separate Endgame sensor.
We'd love to only deploy the Elastic Agent but it only appears to have Filebeat/Metricbeat modules + Elastic Security.

On a side note, does anyone know of a way to add a field/tag to Elastic Agent logs?
We perform document level security for multiple departments based on a field called 'environment' and it would be handy to maintain this granularity.

ruflin · September 1, 2020, 6:14am

We plan to add support for winlogbeat to Elastic Agent in the future. I wanted to give you an issue to track it on your end but seems we don't have one yet. Interested to open one on Github? https://github.com/elastic/beats/issues

To add fields, you should be able to use the add_field processor inside each input: https://www.elastic.co/guide/en/beats/filebeat/current/add-fields.html Let me know if this works.

danielsnelling · September 1, 2020, 6:32am

Thanks for the reply ruflin. I'll raise an issue in GitHub tomorrow.

RE adding fields, we are already doing this in *Beat, but I wanted to know if it's achievable in Elastic Agent Fleet managed.

danielsnelling · September 1, 2020, 6:54am

https://github.com/elastic/beats/issues/20886 raised

ruflin · September 1, 2020, 7:21am

Thanks for the issue.

Unfortunately at the moment, we only support the processor part in standalone and not yet through Fleet. But we plan to add support for processors / your own additional configs in the near future.

system · September 29, 2020, 9:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.