Hi there, as a (broader) follow up on this topic, I am creating this new one about ingest strategy, as I am utterly running out of ideas.
My use case has many client machines, each logging various metrics (pretty common I believe). I need:
- easy enrollment for new client machines
- secure ingest (not open to anyone knowing the IP/port)
- metric-specific type mapping, to be able to use said metrics in Kibana dashboards
I have tried making use of the "custom TCP log"+"elastic agent" integration, which ticked boxes 1 and 2 I believe, but:
- everything gets ingested on a single data stream
- I have not been able to achieve dynamic type mapping depending on message content in any way (I have a special
name
field indicating the metric type in the payload). I tried using a custom ingest pipeline on the Custom TCP log policy, to rename the meta field_index
to a metric specific one => failed due to lack of permissions for the fleet agent user (even when prepending the target index name withlogs-
).
My specific questions are:
- Did I make a wrong choice straight from the start (mis)using the "Custom TCP log" policy?
- Can someone please describe an ingest strategy that fits this use case?
Thanks in advance