Hi all,
I've been really enjoying using ELK , I first started off my deploying a fleet and installing an elastic agent on a Windows desktop . I've since enabled Windows sysmon integration from the install list and have been monitoring my endpoints sysmon output with no issues what so ever.
The issue is this , and I know I'm so close but I cant seem to figure it out. I have a pfsense netgate sg 1100 and am trying to send syslogs over to my ELK windows elastic agent fleet via the pfsense integration , I have configured it to the same IP as the windows elastic agent ipv4 address as syslog host and pointed my pfsense device at that ip and port 514 as well. I've excluded those ports in windows firewall, restarted both firewall and elastic agents. I have ensure I updated and overwrote the elastic-agent.yml with the following info:
outputs:
default:
type: elasticsearch
hosts: [MY.AGENT.IP:PORT]
api_key: "Got this from Enrollment token in fleet "
username: "elastic"
password: "entered pass provided at setup"
Btw do I need to include quotations in the .yml file?
I've done everything I think I need to and yet I'm not seeing any additional to logs* data field, data_stream": "dataset": "pfsense.log in my Discover tab, it's not showing up in my fleet data stream either.
I thought I could combine my sysmon and pfsense into the same fleet, i'm brand new here so maybe I'm doing something wrong - am I missing a step? Do I need to add a custom data stream somehow ? I thought I just needed to configure the integration and it would start filtering into logs* and be searchable in the datastream is fields , just like the sysmon integration did but it's not.
Sorry I know this is long winded but I've spent literal days on this and I want to be thorough.
Any advice or suggestions would be appreciated : ] thanks!