Hi All,
This is more of a general question looking for input from others how they handle Elastic Agent policies when there is an integration that only needs to be deployed to a subset of systems.
General concept of my current setup, I have a "base" Elastic Agent policy for each of my environments, and this "base" policy has integrations that all systems take advantage of (ex: system integration)
What I'm not sure about is how to best proceed with integrations that are narrower in scope (ex: Windows IIS logs, Jira logs, Confluence logs, etc...)
I have 2 main ideas/solutions, but I don't think either of them are "great":
- Clone the "base" policy and make a specific policy and assign the required systems to it
- Pros
- Easy to identify what integrations are installed
- Cons
- More management overhead
- If you make a change to one of the "base" integrations, this would need to be populated to a lot more agent policies
- Need to be aware of what systems are in what policy to make sure the data is being collected
- More management overhead
- Pros
- Add the integrations to the "base" policy
- Pros
- Simple setup everything is basically in one place
- Cons
- Potential to get very messy if there are a significant number of integrations
- I suspect the agent will throw a lot of errors if it looks for something for one integration that doesn't exist on most systems.
- Pros
Ideally something on the Elastic end, like parent-child agent policies would be an ideal solution, but without that, does anyone use one of these methods, or have another method they're using for this?