Endpoint Security integration and index naming (.logs-endpoint.action.responses)

ivo.raisr · September 6, 2022, 6:30am

"Endpoint and Cloud Security" integration for Elastic Agent mentions in the documentation (for Elastic 8.4.1) that

...The log type of documents are stored in the logs-endpoint.* indices. ...

However this is not entirely true. The following data streams were created when using "Endpoint and Cloud Security" integration:

.logs-endpoint.action.responses
.logs-endpoint.actions
logs-elastic_agent.endpoint_security
logs-endpoint.events.file
logs-endpoint.events.network
logs-endpoint.events.process

Which results in:

Incosistency across the data stream naming pattern.
Inconsitency with the integration documentation.
Problems when ingesting by logstash all events from Elastic Agent and following the ELastic's documentation for using a dedicated logstash_writer role.

lesio · September 6, 2022, 9:33am

Hello,

.logs-endpoint are supposed to be hidden streams (now I don't remember what was the reason behind). Apart from that, all is consitent, Elastic Endpoint Security streams are logs-endpoint, the other one logs-elastic_agent belongs to Elastic Agent SIEM

system · October 4, 2022, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Endpoint Security agents online but not sending any logs Elastic Security	2	570	November 4, 2022
Endpoint Security help Endpoint Security elastic-stack-security	7	628	June 23, 2022
Endpoint Security without using Fleet Endpoint Security fleet	10	2099	November 1, 2021
No Host events Endpoint Security Endpoint Security	2	459	November 7, 2022
Event Filter endpoint agent via Kibana (Fleet) with wildcards Beats docker , elastic-agent	3	569	December 7, 2021

Endpoint Security integration and index naming (.logs-endpoint.action.responses)

Related topics