I have a number of servers where i manually installed filebeat/winlogbeat/metricbeat etc.
What impact does that have if i wish to now use the Fleet agent and policies to collect this data?
Do i need to manually uninstall existing beats then install fleet agent with relevant policies...then update yml file to what I currently use for the metricbeats/filebeats/winlogbeats?
Or does the fleet agent recognise existing beats installs?
What integrations do you have selected? I'm a 90% windows shop as well. Here's a couple hard lessons I've learned. Fleet impact is based on collections just like running multiple beats.
Winlogbeat is replaced with - System integration for fleet. No need to run duplicates here unless you are collecting anything other then System, Application, Security logs, Sysmon. For example terminal services logs you would need winlogbeat. Its encouraged to add sysmon if you haven't installed it as well. Really ties in nicely.
Metricbeat is replaced with - System integration for fleet. No need to run duplicates here unless you are collecting specific things like IIS, MSSQL for example. Yes IIS can be done with Fleet but honestly I stick with Metricbeat for it as the fleet one has been hit or miss for me. One major issue I want to point out if your capturing MSSQL with stand alone metricbeat and elastic agent "fleet" you will have the standalone stall often and stop collecting all data. The process will continue to run but it's a dead state. The version must match so each update to fleet even minor has to match the standalone as well.
Filebeat is part of the agent as well. You would need to add additional integration IIS for example to collect logs outside of it's normal file scans.
Fleet has come a very long way and it shaping up to be pretty solid. It does not recognize local installs and as such if you add Endpoint for example add an exclusion path for winlogbeat, metricbeat, filebeat along with the ProgramData paths. Every few versions of the agent go nuts and will kill a machine unless you add the exclusions as it's a death loop of audits on audits. It gets fixed one version the back again the next. Save yourself the headache if you use Endpoint and add them before deployment.
Might not of answered anything for you maybe it did. It's all in what your collecting. If it's basics nothing fancy then fleet will take over and run just fine without issues.
Thanks for the detailed reply, it's been useful. I use mssql/sql/iis modules and rely heavily on these. I think I may go down a hybrid route just now until the product matures and use fleet on those machines with no requirement for mssql/sql/iis.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.