Endpoint Security integration and index naming (.logs-endpoint.action.responses)

"Endpoint and Cloud Security" integration for Elastic Agent mentions in the documentation (for Elastic 8.4.1) that

...The log type of documents are stored in the logs-endpoint.* indices. ...

However this is not entirely true. The following data streams were created when using "Endpoint and Cloud Security" integration:

  • .logs-endpoint.action.responses
  • .logs-endpoint.actions
  • logs-elastic_agent.endpoint_security
  • logs-endpoint.events.file
  • logs-endpoint.events.network
  • logs-endpoint.events.process

Which results in:

  1. Incosistency across the data stream naming pattern.
  2. Inconsitency with the integration documentation.
  3. Problems when ingesting by logstash all events from Elastic Agent and following the ELastic's documentation for using a dedicated logstash_writer role.


.logs-endpoint are supposed to be hidden streams (now I don't remember what was the reason behind). Apart from that, all is consitent, Elastic Endpoint Security streams are logs-endpoint, the other one logs-elastic_agent belongs to Elastic Agent SIEM

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.