Osquerybeat standalone without elastic-agent?

Hi,

I'm currently using various *beats deployed to servers and clients. For a number of reasons, I have my beats output to logstash, before they are sent to Elasticsearch. I'm evaluating elastic-agent, to at least replace the *beats at the clients, as I see it, elastic-agent doesn't (yet?) support output sent to logstash?

Currently I've deployed osquery on servers and clients. osqueryd is reporting back to a kolide fleet server, where the logs are picked up by filebeat and sent to logstash -> Elasticsearch.

using the osquery-manager integration for the clients, osquery on them will report directly to the fleet server, not to kolide anymore, great.
However, the servers would still be connected to the kolide osquery server, having them split is just impractical, meaning, have to keep maintaining the kolide fleet server for the servers, and when investigating, i.e. to run live queries, have to visit two UIs, and combine output etc. That would just be cumbersome and impractical.

The osquerybeat is not mentioned here: What are Beats? | Beats Platform Reference [7.14] | Elastic , however, I could grab the tarball from a host with elastic-agent running that has fetched it, and install it on other hosts. I guess I'd have to point it to the fleet server, to actually being able to run live queries?

Or is it possible to keep the current separately installed *beats for the server, and just add a elastic-agent to these nodes, with only the osquery-manager integration for the servers? Then the let's call them legacy *beats could continue to output to logstash, and only the elastic-agent with osquerybeat would connect to the elastic fleet server. Would that be a viable solution?

my main motivation is to potentially get rid of the kolide fleet server, and having all osquery related stuff well integrated into kibana.

Sebastian

I think eventually the logstash output will be available, it is not production ready from what i have read but you can run it in a stand-alone configuration. See the documentation for 7.15

Hi @zx8086

Just before I saw your reply, I found out about the agent in stand-alone mode, and it's logstash output. Haven't yet 100% made up my mind, what will have more advantages to me, standalone or fleet managed mode of the agent.
I don't really need the osquery output sent to logstash, my *beats do the logstash output for other reasons.

But when using osquery_manager integration, for the clients, and keep kolide fleet server for the servers, that would just be an additional burden.

In the meantime, I'm more testing, and it seems, at least here on a windows host I tested, I've a separate winlogbeat running, as well as elastic agent.
I need some more testing, but I think it seems elastic-agent, taking solely care of osquerybeat can coexist with the other standalone *beats on the same machine.

So could run live queries, and scheduled queries from that single point in Kibana.

so I guess the options I have to evaluate: agent in standalone mode vs. fleet managed agent + *beats on the same node.

thanks
Sebastian

I'm running Fleet Managed agents with *beats on the same nodes to gap the feature disparity between the two. At the end of the day the beats and elastic-agent data gets into Elasticsearch, where most of my work is done. Logstash Output is one of a few reasons (packetbeats being another) we stick to beats and have not fully moved completely over to the Fleet Manager Agents setup.

Also testing the Osquery Manager to run the Live and Scheduled Group queries.

thanks for your input, it seems with mixing *beats and the agent, I'm not totally off-track and probably the way to go for the time being.

On some agents I have Auditbeat, Metricbeat, Filebeat & Packetbeat running alongside the Elastic-Agent. It work to use the best of both worlds until one can fully replace the other.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.