Endpoint Security integration is sending its data always to default namespace

Hi all,

If you make a new configuration with as namespace not default but let's say 'custom'. All integrations which you add will have default as namespace 'custom', also the Elastic Endpoint Security.

However, the Elastic Endpoint Security is still sending its data to the default namespace with the default indexes. Some logs:

{"@timestamp":"XXX","agent":{"id":"XXX","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":310,"name":"ElasticsearchComms.cpp"}}},"message":"ElasticsearchComms.cpp:310     Library Events Index     : logs-endpoint.events.library-default","process":{"pid":16532,"thread":{"id":12420}}}
{"@timestamp":"XXX","agent":{"id":"XXX","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":313,"name":"ElasticsearchComms.cpp"}}},"message":"ElasticsearchComms.cpp:313     Network Events Index     : logs-endpoint.events.network-default","process":{"pid":16532,"thread":{"id":12420}}}
{"@timestamp":"XXX","agent":{"id":"XXX","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":315,"name":"ElasticsearchComms.cpp"}}},"message":"ElasticsearchComms.cpp:315     Process Events Index     : logs-endpoint.events.process-default","process":{"pid":16532,"thread":{"id":12420}}}
{"@timestamp":"XXX","agent":{"id":"XXX","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":318,"name":"ElasticsearchComms.cpp"}}},"message":"ElasticsearchComms.cpp:318     Registry Events Index    : logs-endpoint.events.registry-default","process":{"pid":16532,"thread":{"id":12420}}}
{"@timestamp":"XXX","agent":{"id":"XXX","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":320,"name":"ElasticsearchComms.cpp"}}},"message":"ElasticsearchComms.cpp:320     Security Events Index    : logs-endpoint.events.security-default","process":{"pid":16532,"thread":{"id":12420}}}
{"@timestamp":"XXX","agent":{"id":"XXX","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":322,"name":"ElasticsearchComms.cpp"}}},"message":"ElasticsearchComms.cpp:322     Metadata Index           : metrics-endpoint.metadata-default","process":{"pid":16532,"thread":{"id":12420}}}
{"@timestamp":"XXX","agent":{"id":"XXX","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":323,"name":"ElasticsearchComms.cpp"}}},"message":"ElasticsearchComms.cpp:323     Policy Index             : metrics-endpoint.policy-default","process":{"pid":16532,"thread":{"id":12420}}}
{"@timestamp":"XXX","agent":{"id":"XXX","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"info","origin":{"file":{"line":324,"name":"ElasticsearchComms.cpp"}}},"message":"ElasticsearchComms.cpp:324     Metrics Index            : metrics-endpoint.metrics-default","process":{"pid":16532,"thread":{"id":12420}}}

Is this a bug already known? And is there maybe a workaround to solve it temporarily?

Hi @SanWieb. This is a bug, thanks for finding and reporting it. We'll fix it ASAP. There is no workaround in the meantime.

I filed issue https://github.com/elastic/endpoint/issues/2 so you can track this bug's progress if you'd like.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.