i'm currently playing around with the Elastic Defend component. I recently rolled it out to a macOS machine in order to gather process and file events.
My question here is, where are these logs stored locally on the Endpoint ? (This would be at least required if the connection to elastic is lost, so the events have to be buffered temporarily).
I analyzed the log files in /Library/Elastic/ (agent and endpoint) as well as /var/log, but was unable to find these particular events there.
Hey @marmai16. Defend buffers events locally to Endpoint/state/documents. The files are in an internal/opaque format and not intended to be consumed by anything but Defend. The format may change at any time.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.