I am having a ES cluster with Fleet server, Kibana and elastic-agents. I want to create a DR (Disaster recovery ) setup for it. I am running alerts and ML rules with Elastic Defent in this setup. If i go for bi directional cross cluster replication, The setup will be like below
DC1 has its own kibana, fleet and elastic-agents installed in DC1 servers and DC2(DR DC) must have its own fleet and elastic-agents installed in DC2 servers. In this case i have to configure rules and alerts in two DCs separately. Is there any way to avoid this and handle both DCs using a single kibana?
Or is there any other suggested way to setup DR fleet server?
I don't think so, each Kibana can be connected to only one cluster, so you would need one kibana for each server.
Not sure what you mean with DR for feet server, it does not support it.
Each agent can be managed by only one Fleet Server, so if you have agents being managed by a Fleet Server in your DC1, and your Fleet server in DC1 is offline, you will not be able to manage these agents until the Fleet Server is back online.
If you want to have a bi-directional ccr you will need what you already said, replicate the same rules and alerts in both clusters.
This is a dumb question but still wish to confirm it...will it be possible to replicate the .fleet index (which stores the data about fleet server) to another cluster?
Is there any way to sync rules from one cluster to another?
I don't think so, not everything that fleet uses is stored on those indices, you would need a snapshot of the fleet feature state, and to restore it in another cluster, which would override the agents you have there.
But there is no documentation about it, the only similar documentation that exists is about migrating agents between clusters and the only way to do that is to re-enroll the agent in the new cluster.
There is nothing built-in for that, but everything uses an API, you could use the detection rules API to built an export/import flow to replicate your rules.
Today "Multi-Cluster Fleet is not supported" it is something that has been discussed and in the planning phases, it is a much requested feature so we want to get it right. No ETA for delivery (not to mention that elastic does not pre-announce feature releases)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.