Huge size for elastic endpoint (defend) integration indices?


Cluster information:
3 nodes with 1TB

I have configured a fleet server with elastic defend integration to start using elastic security.
Currently only 2 servers are enrolled with the agent. Here is the integrations of the policy that we use:

  • Endpoint Security

  • Elastic APM

  • Auditd Logs

  • ModSecurity Audit

  • System (desactivated process,network,file)

Everything works fine but I would like to share with you my disk usage for the elastic integration because I think that its huge amount for only 2 servers enrolled.

There is 1 replicas so we are around 25gb for only 2 servers per day with 50gb disk usage.

I have 30 servers to monitor, we are going to use 750GB per day for process event only ? It is normal ?

It happens :wink: Some processes are particularly noisy and quickly fill out the indexes. It's possible to suppress such events, but it makes blind spots in your data so it's an opt-out for users.
See details here Event Filters

I forgot to mention that since we added the Event Filters, we also started looking closely which events have little value and are curating an out-of-the box filter. This filter can be toogled off by an advanced policy option

I hope you don't have it accidentally set to false.

Thank you for your reply.
I can confirm that i have not set the value to false, all advanced settings are default.

I will take a look at the event filter.

If i understand, the event filtered can always be used to trigger alert, but there are not indexed in ES, that right ?

Events filtered out by Endpoint are dropped just before going to the wire so all detections work internally raising appropriate Alerts, moving malware into quarantine, etc.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.