Hi, I'm using windows integration to collect windows event logs, the integration settings offer a field to specify processor, but when try to use enrich processor I stop receiving new logs and i got the following error
Is there any alternatives like having the possibility to specify a pipeline.
Currently the processor field is for local beat processors. If u want to do anything with Elasticsearch pipelines, you'd have to modify the ones that come with each integration.
It is also possible to just set an index.final_pipeline in the index template to call a pipeline after the pipeline used in the integration.
This way there is no need to modify the integration pipeline, just the index template.
You have to be careful with that as every index template created by fleet managed integrations has a final pipeline already set to do certain fleet things.
Oh thanks, didn't know, I thought it was just like the beats modules, I'm not using Elastic Agent and have no plan to use it in the near future.
So, in this case the solution would be really to add a new processor in the integration pipeline then.
Thank you very much, I will try it
Would it be sensible to add your processors to the pipeline .fleet_final_pipeline-1 ? That one appears to be used in all of the integrations via the template .fleet_component_template-1. I tested with an enrich processor on the pipeline and worked so far. Can't see yet why this would be a bad idea.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
