Ingest strategy

mark8 · January 17, 2022, 9:56am

Hi there, as a (broader) follow up on this topic, I am creating this new one about ingest strategy, as I am utterly running out of ideas.

My use case has many client machines, each logging various metrics (pretty common I believe). I need:

easy enrollment for new client machines
secure ingest (not open to anyone knowing the IP/port)
metric-specific type mapping, to be able to use said metrics in Kibana dashboards

I have tried making use of the "custom TCP log"+"elastic agent" integration, which ticked boxes 1 and 2 I believe, but:

everything gets ingested on a single data stream
I have not been able to achieve dynamic type mapping depending on message content in any way (I have a special name field indicating the metric type in the payload). I tried using a custom ingest pipeline on the Custom TCP log policy, to rename the meta field _index to a metric specific one => failed due to lack of permissions for the fleet agent user (even when prepending the target index name with logs-).

My specific questions are:

Did I make a wrong choice straight from the start (mis)using the "Custom TCP log" policy?
Can someone please describe an ingest strategy that fits this use case?

Thanks in advance

system · February 14, 2022, 9:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic-Agent - Custom Log Integration Beats elastic-agent	4	3122	December 17, 2020
Elastic/fleet-server cannot create/write to index - insufficient permissions Elasticsearch	4	1166	February 10, 2022
Elasticsearch output for Elastic Agent - adding an ingest pipeline Beats elastic-agent , ingest-pipeline	5	2936	December 23, 2020
Custom Logs Ingest Pipeline Elasticsearch fleet	9	3778	February 21, 2022
Elastic-Agent enrollment problem Elasticsearch elastic-agent	9	1047	September 28, 2020