Endpoint Security integration and index naming (.logs-endpoint.action.responses)

ivo.raisr · September 6, 2022, 6:30am

"Endpoint and Cloud Security" integration for Elastic Agent mentions in the documentation (for Elastic 8.4.1) that

...The log type of documents are stored in the logs-endpoint.* indices. ...

However this is not entirely true. The following data streams were created when using "Endpoint and Cloud Security" integration:

.logs-endpoint.action.responses
.logs-endpoint.actions
logs-elastic_agent.endpoint_security
logs-endpoint.events.file
logs-endpoint.events.network
logs-endpoint.events.process

Which results in:

Incosistency across the data stream naming pattern.
Inconsitency with the integration documentation.
Problems when ingesting by logstash all events from Elastic Agent and following the ELastic's documentation for using a dedicated logstash_writer role.

lesio · September 6, 2022, 9:33am

Hello,

.logs-endpoint are supposed to be hidden streams (now I don't remember what was the reason behind). Apart from that, all is consitent, Elastic Endpoint Security streams are logs-endpoint, the other one logs-elastic_agent belongs to Elastic Agent SIEM

system · October 4, 2022, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.