Processors in Endpoint/Elastic-Agent

bm11100 · July 28, 2021, 4:01pm

Hello,

We are testing Elastic-Agent and found that the streams configuration we can add "processors" that take care of adding custom fields for things like Filebeats/Metricbeats. This is a useful feature but we cannot find how to do this in the endpoint configuration for events. We have the option to enable/disable the events but no option to add processors for them.

Can you assist us in configuring the same sorts of processors we use for our beats data into the events of the endpoint integration?

Example elastic-agent.yaml snippet:

inputs:
- id: XXXX
  name: system-1
  revision: 1
  type: logfile
  use_output: default
  meta:
    package:
      name: system
      version: 0.12.7
  data_stream:
    namespace: XXX
  streams:
    - id: logfile-system.syslog-XXX
      data_stream:
        dataset: system.syslog
        type: logs
      paths:
        - /var/log/messages*
        - /var/log/syslog*
      exclude_files:
        - .gz$
      multiline:
        pattern: ^\s
        match: after
      processors:
        - add_locale: null
        - add_fields:
            target: ''
            fields:
              ecs.version: 1.9.0
        - add_fields:
              target: ''
              fields:
                fields.udid: XXX
                agent.version: test-unknown
                agent.id: XXX
                organization.name: company-1
                organization.id: XXX
                organization.parent_id: XXX

Example elastic-endpoint.yaml:

policy:
    linux:
      logging:
        file: info
      events:
        process: true
        file: true
        network: true
    windows:
      popup:
        malware:
          enabled: true
          message: 'Elastic Security {action} {filename}'
        ransomware:
          enabled: true
          message: 'Elastic Security {action} {filename}'
      malware:
        mode: prevent
      logging:
        file: info
      antivirus_registration:
        enabled: false
      events:
        registry: true
        process: true
        security: true
        file: true
        dns: true
        dll_and_driver_load: true
        network: true
      ransomware:
        mode: prevent
    mac:
      popup:
        malware:
          enabled: true
          message: 'Elastic Security {action} {filename}'
      malware:
        mode: prevent
      logging:
        file: info
      events:
        process: true
        file: true
        network: true

PublicName · July 29, 2021, 9:41pm

Which integrations do you have added to your policies in fleet?

Only a very select few have custom options atm.

Kevin_Logan · August 5, 2021, 3:28pm

@bm11100 adding custom processors to the Endpoint configuration is currently not supported.
The events that the Endpoint streams follow a specific schema that could cause unexpected results if manipulated.

However, there may be other ways to accomplish what you're looking for. You may be able to use Ingest Pipelines or Transforms to stream data from the indices that Endpoint streams to new destination indices with the additional custom fields.

This is just one suggestion. If you give more details on your use case with the custom fields, we can assist further or consider future features, such as custom processors for custom fields, when configuring the Endpoint integration.

Documentation:

system · September 2, 2021, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.