"Endpoint and Cloud Security" integration for Elastic Agent mentions in the documentation (for Elastic 8.4.1) that
...The log type of documents are stored in the logs-endpoint.* indices. ...
However this is not entirely true. The following data streams were created when using "Endpoint and Cloud Security" integration:
- .logs-endpoint.action.responses
- .logs-endpoint.actions
- logs-elastic_agent.endpoint_security
- logs-endpoint.events.file
- logs-endpoint.events.network
- logs-endpoint.events.process
Which results in:
- Incosistency across the data stream naming pattern.
- Inconsitency with the integration documentation.
- Problems when ingesting by logstash all events from Elastic Agent and following the ELastic's documentation for using a dedicated
logstash_writer
role.