I'm using the Mimecast integration and it's suddenly stopped ingesting the siem logs. The logs on the elastic agent indicate that events are being published, but they are not showing up in the index in ELK. Has anyone run into this or have any suggestions?
This was a user-error, sort of. Logs were still being ingested, but the agent is working through a massive backlog, as it turns out. Sorting by event.ingested (as suggested on the Elastic Slack) clued me in.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.