Multi-tenant with Fleet and one single policy with integrations

I have a question.

  1. I built a structure using Elasticsearch and Fleet Server.
  2. In Fleet Server I have a policy called "Agent Windows" with some integrations.
  3. I want to install the SAME "Agent Windows" for DIFFERENT companies (Company 1 and Company 2)
  4. In this way, ALL documents are collected in the same index. Example, in logs-* there are both documents coming from Company 1 endpoints and documents coming from Company 2 endpoints.
  5. Now. I want to create different spaces for Company 1 and Company 2 where they see only their data.
  6. To do what I wrote in point 5, I want to split all documents in logs-* based on a FIELD. Example, organization.name=COMPANY1 or organization.name=COMPANY2.

THE PROBLEM IS --> these documents do not have the field "organization.name"!! So I need to add a custom field, but...

I can only add a STATIC custom field. Only Company 1 or Company 2.

My idea was this.
Each endpoint has an environment variable with the company name written: Company 1 or Company 2.

I would like the variable to be read dynamically and added to the organization.name field.

This way I would have documents arriving on elasticsearch with the organization.name field filled with Company 1 or Company 2.

I hope I explained myself.

Is there a way to do it?

Thanks a lot in advance.

In theory I think you can use an add_fields processor.

Something like this:

- add_fields:
    target: organization
    fields:
      name: "${ORGANIZATION_NAME}"

You would need to add this processor in every dataset for every integration as shown in the example of the documentation and also make sure that every host has this variable set.

I didn't test it, so you need to check if it will work.

But I would say that it would be better to have an Agent Policy for client in this case, as this would also enables you to have different retention per client if needed in the future.

Hello Leandro!
Thanks for the quick response!

I'll update you.
In the meantime I've tried other things and... I've found the solution that works for me.

In Fleet > Agent Policy "Agent Windows" > Settings, I set the custom field like this:

and it works.

Each document of each integration adds the "organization.name" field by reading from the environment variable. Obviously the environment variable must be set on the computer.

Log retention will then be the same for all companies.

Based on your experience, is it correct to create a multi-tenant structure that uses indexes to collect documents from ALL companies, and then split them based on a field?

Thanks again. I hope this can help other people!