We want to minimize specifically the Elastic Defend Policies due to the size of our estate. One easy way is to have 1 policy for both Windows and Linux hosts.
How does Elastic Defend work when you configure it to collect Windows logs on a Linux machine and Linux logs on a Windows machine? I would assume that since there are no Linux logs on a Windows server, that the agent would do nothing with it and just collect the Windows logs and vice versa. Or would the agent spawn a service that attempts to collect Linux logs on a Windows machine and thus unnecessary consume resources?
This is irrespective of the different integrations within the bigger agent policy but purely just focused on the Elastic Defend policy.
Elastic Defend policy, which you can inspect using inspect command, has separate sections per OS. When you set a common feature via Kibana UI, the setting is applied in all OS sections appropriately to the OS.
I am asking about the implications of the settings. If I enable the Windows settings on the Elastic Agent Policy of a Linux agent, will those windows settings consume resources anyway or will that have no effect as it is a different OS?
Any Windows OS specific settings won't be even read by Linux version of Endpoint.
What I meant earlier was that common features are combined in the UI, but are duplicated across the OSes in the actual policy which you can inspect, with inspect command, for example:
Toggling the malware prevention switch will change it in three places of the policy, for all the OSes. However features which are exposed individually per OS, for example collecting file events, can be configured independently for each OS.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
