Hi Guys,
I am integrating SentinelOne with ELK, after adding console URL and API key it showing me to add elastic agent.
Elastic agent is required for these type of integrations?
Can anyone help me with this?
Thank you,
Jayesh
1 Like
Hello @Jayesh_Auti
Welcome to the Community!!
Yes, elastic agent will be required to collect the data. Similar post :
Thanks!!
Hi,
Thank you for clarifying.
I will be doing another integrations like AWS WAF, AWS Guard Duty, so for these also I will need seprate elastic agent or the same I can use and where I have to install the elastic agent on the same instance where ELK is hosted or somewhere else?
Thank you,
Jayesh
Hello @Jayesh_Auti
To have 1 elastic-agent or multiple elastic-agent depends upon the type of data we need to collect & how it is available.
For more information below documentation will help :
Thanks!!
You will need an Elastic Agent to run those integrations, it is recommended to no run anything else on Elasticsearch server, so it is better to use a different server.
You can have a single policy for a single agent with those integration, but in some cases one single agent may not be enough to get the data for some sources.
For example, AWS WAF can have a high volume rate in some cases and you would need multiple agents to consume it from the SQS + S3 configuration, but if you have an integration that uses API and run it on multiple agents, you will have duplicate data.
So I would recommend to have a single policy for integrations where you get the data using some kind of API.
And another policy and agent for integrations where you can consume the data with multiple agents without duplication, like all integrations that use SQS+S3 or Event Hub or Kafka as an input.