Hi,
I have deployed ELK stack into a couple of VMs. The logs are gathered using fleet agents, and they're being sent into elastic. Is there a way to forward the logs from Elasticsearch to Qradar on-prem deployment? Or should I look into reading the logs from Elasticsearch using Qradar?
At this point I have not tried anything, just looked through various community posts. I expect to forward logs from Elasticsearch to Qradar, or to read logs from Elasticsearch using Qradar.
Okay, so it's not possible to ingest logs with Qradar from Elasticsearch, nor it's possible to forward them from Elasticsearch to Qradar. However, you can use fleet agents to gather the logs, then send them into logstash, and logstash can send the logs both to elastic and qradar. Note, that this approach is going to require paid license, because fleet agents with basic license don't support any other outputs except elasticsearch.
Where did you get this information? Elasticsearch does not send logs anywhere, but you can use a tool like Logstash to query your Elasticsearch data and send it to other destinations.
Not entirely correct, you can use the basic license and have the fleet agents sending logs to Logstash, Elasticsearch or Kafka.
The limitation you have is that you can not have different outputs per different policies, but you can configure your default output to send logs to kafka, elasticsearch or logstash.
I did not get this information anywhere. I was just wondering whether it's possible. And I found out that it's not, just as you said:)
That's an important clarification. Thank you for the explanation. Actually that was my case. I wanted to use multiple polices with different outputs.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.