Hi, is it a good idea to use an agent policy with the System and Windows integration for log collection for both Windows and Linux machines? Will the Windows integration consume too much resources on a OS it does not really need to run on?
The Elastic stack setup is on-premise, if it makes a difference.
Hello,
I am somewhat new to the ELK topic, at worst my comment will simply not contribute to solve your doubt but at best maybe it will solve it.
I set myself the task of reviewing the consumption generated by each integration which is applied to the policies from Fleet Server.
The maximum consumption that I detected was 350MB, the average is 200MB.
The integration called “System” is the one I use to collect “system”, “application” and “security” logs.
The integration called “windows” is used to collect logs of “Forwarded” “Powershell” “Powershell Operational” “Sysmon Operational” and Windows Metrics “Windows perfmon metrics” “Windows service metrics”.
The “Elastic Defend” integration is the endpoint in charge of collecting different data that allows to identify alerts in the security part of Elastic.
If I monitor the processes in the machine that has the agent installed, I see that 7 agentbeat.exe are generated and if you activate the option called “Command line” as an additional column you can see if what it executes is a “filebeat” or a “metricbeat”.
When the device that has the agent is managed by another area of the company this amount of processes could look outrageous and they would complain that there are too many processes, but you can control the amount and obviously the less amount of integrations the less amount of .exe although sometimes 1 single integration can generate several .exe.
In my case, if I want 3 of those 7 .exe to disappear, I simply deactivate the agent metrics option.
Now about your specific question, I can only offer you my opinion since I am not an expert in ELK stack, but I would say that if you use one integration to collect Windows logs and another one for Linux logs it will depend on the type of options you choose within the integration. I explain better with images
Depending on the options you choose each one will generate an .exe on the device that is installed on the agent.
So I would say it would be the same whether you use a single integration or multiple integrations to collect the logs. Unless someone disproves what I say.
I suggest that in a test device you create a policy and do the tests yourself, in my case I drew my conclusions but maybe after you do the exercise you will find something else or something different.
forgive my wording, I'm using a translator.