How far back in time does the Elastic Endpoint Security platform grab logs?

We recently deployed elastic agent with endpoint security enabled across an environment and started seeing event logs from months prior to the agent being installed. This is brilliant from a visibility point of view, however as we rolled out the agents it led to a surge in events that meant we lost live events from other agents that were deployed as the stack could not keep up.

This made us curious, is there any reference to how far back the endpoint security agent grabs logs or any sort of configurable limit on the amount volume of logs that are exported from a single machine?

Thanks in advance,

Hi geekzy,

From looking at the Endpoint code, is seems we collect future security events and none from past. Is it possible that you have installed the Windows integration along with Endpoint? Could you look at a few of the documents and see what the value of agent.type or possibly event.dataset is?

Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.