Log Storage Location - Elastic Defend Logs macOS

marmai16 · July 10, 2024, 5:13pm

Hello everyone,

i'm currently playing around with the Elastic Defend component. I recently rolled it out to a macOS machine in order to gather process and file events.

My question here is, where are these logs stored locally on the Endpoint ? (This would be at least required if the connection to elastic is lost, so the events have to be buffered temporarily).

I analyzed the log files in /Library/Elastic/ (agent and endpoint) as well as /var/log, but was unable to find these particular events there.

Thank you in advance!

leandrojmp · July 10, 2024, 6:48pm

The agent does not buffer on disk yeat, it only has memory buffer.

There is an open issue for adding it: Support the Beats disk queue in Elastic Agent · Issue #3490 · elastic/elastic-agent · GitHub

gabriel.landau · July 10, 2024, 6:57pm

Hey @marmai16. Defend buffers events locally to Endpoint/state/documents. The files are in an internal/opaque format and not intended to be consumed by anything but Defend. The format may change at any time.

Topic		Replies	Views
Elastic Agent offline caching of events Elastic Agent fleet	6	281	October 23, 2025
Elastic defendで取得するログについて Elastic Agent	1	319	May 27, 2023
Where can I find logs on Linux machine Logstash	9	23802	July 6, 2017
Install Elastic Security Endpoint Endpoint Security	4	416	October 13, 2020
Elastic agent log Elastic Agent	1	883	December 14, 2024

Log Storage Location - Elastic Defend Logs macOS

Related topics