How do you handle Elastic Agent Policies and Integrations that only apply to some systems?

Hi All,

This is more of a general question looking for input from others how they handle Elastic Agent policies when there is an integration that only needs to be deployed to a subset of systems.

General concept of my current setup, I have a "base" Elastic Agent policy for each of my environments, and this "base" policy has integrations that all systems take advantage of (ex: system integration)

What I'm not sure about is how to best proceed with integrations that are narrower in scope (ex: Windows IIS logs, Jira logs, Confluence logs, etc...)

I have 2 main ideas/solutions, but I don't think either of them are "great":

  1. Clone the "base" policy and make a specific policy and assign the required systems to it
    • Pros
      • Easy to identify what integrations are installed
    • Cons
      • More management overhead
        • If you make a change to one of the "base" integrations, this would need to be populated to a lot more agent policies
      • Need to be aware of what systems are in what policy to make sure the data is being collected
  2. Add the integrations to the "base" policy
    • Pros
      • Simple setup everything is basically in one place
    • Cons
      • Potential to get very messy if there are a significant number of integrations
      • I suspect the agent will throw a lot of errors if it looks for something for one integration that doesn't exist on most systems.

Ideally something on the Elastic end, like parent-child agent policies would be an ideal solution, but without that, does anyone use one of these methods, or have another method they're using for this?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.