How far back in time does the Elastic Endpoint Security platform grab logs?

geekzy · November 17, 2021, 12:15pm

We recently deployed elastic agent with endpoint security enabled across an environment and started seeing event logs from months prior to the agent being installed. This is brilliant from a visibility point of view, however as we rolled out the agents it led to a surge in events that meant we lost live events from other agents that were deployed as the stack could not keep up.

This made us curious, is there any reference to how far back the endpoint security agent grabs logs or any sort of configurable limit on the amount volume of logs that are exported from a single machine?

Thanks in advance,

Michelle_Bennett · November 22, 2021, 10:32pm

Hi geekzy,

From looking at the Endpoint code, is seems we collect future security events and none from past. Is it possible that you have installed the Windows integration along with Endpoint? Could you look at a few of the documents and see what the value of agent.type or possibly event.dataset is?

Thanks!

system · December 21, 2021, 12:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Endpoint Security agents online but not sending any logs Elastic Security	2	570	November 4, 2022
Elastic Endpoint Windows Event Log - Security Channel Endpoint Security	2	483	September 16, 2021
Endpoint Security Intergration vs. Windows and System Intergrations Endpoint Security	3	1093	March 9, 2022
Elastic Endpoint shipping application and service logs Endpoint Security	6	505	March 19, 2021
Endpoint Security integration and index naming (.logs-endpoint.action.responses) Elastic Agent fleet	2	610	October 4, 2022

How far back in time does the Elastic Endpoint Security platform grab logs?

Related topics