As we're rolling out Fleet to our servers, one question I had around agent policies used by the agents was if it's possible for a policy to inherit the integrations of another like a parent-child relationship?
For example,
a base policy that defines some standard integrations such as syslog or Elastic Defend.
a policy for a specific type of server that has an integration for a specific application.
Can that role-specific policy inherit the integrations from the base policy? Otherwise we have to configure those global integrations for every agent policy with unique names and keep the settings in-sync.
While we could add every role-specific integration to the global policy and use it on every server, it seems wasteful having the agent on every server try and collect logs for things that don't exist on that server.
We don't have any form of inheritance relationships for agent policies.
I'm not sure how complex your use case is in regards to the number of base integrations (and how many customizations you require); but typically we recommend using different policies
I've had this same question, and I was hoping the reply from Elastic regarding this would have been "It's a feature request we're working on", but that doesn't appear to be the case.
Where would be the proper place to submit this as a feature request?
Initially it was more complex than it currently is, we were planning on at least one policy per environment so that each one could output through a specific endpoint to that environment, but have since simplified it. We do still have a couple of different policies, such as one that collects logs and metrics from third-party services like Google or 1Password.
Using Defend as an example but could apply to any integration, different policies now mean we have multiple places we need to keep our Defend preferences like block/notify behaviour, allowlisting, event collection settings, etc in-sync to ensure that a server handling those third-party logs has the same Defend configuration as another server.
The lack of control via infrastructure-as-code exacerbates this since it's manually checking and updating each policy in the UI to make sure they match, but if we were able to have policies inherit other policies, we could set one integration at the top level without needing to reconfigure it on each policy
Totally agreed, policy inheritance could be a great feature for Defend but also for other integrations (system, windows, ....). It's time consuming and not efficient to edit dozens of policies to apply same basic settings
There is a way to do this (somewhat), however it isn't well "advertised" and it is also inconsistently supported by integrations.
You can achieve this via conditions. Note, the main "issue" here is that a lot of the Fleet managed Integrations currently don't allow for setting the condition field, so it is somewhat hit or miss on whether this will work all of the time.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.