Why do I need to install the elastic agent when syncing data from Azure Event Hubs to Elastic?

CtrlCloud-Jelle · July 10, 2024, 8:31am

I'm new to Elastic and the whole stack. I want to use Elastic as a SIEM solution, meaning I'll have to ingest data.

I totally understand I need to install an agent locally for XDR/EDR or monitoring servers and sending logs.. But why do I have to install the agent when linking Azure Event Hubs to Elastic? And where do I even install the agent? It makes absolutely no sense to install an agent on a local machine to propagate data from Cloud Service #1 to Cloud Service #2.

I'm using the elastic cloud, serverless project, and Azure Event Hubs.
Can someone explain this to me?

lesio · July 10, 2024, 8:40am

I'm sure we have worked on agentless solution, see this old blog

Automated root cause analysis and agentless log ingestion from GCP | Elastic Blog

I hope it's also supported on Azure, but I don't work in that product area and can't easily google it either.

CtrlCloud-Jelle · July 10, 2024, 8:43am

Thanks! I'll have a look at that link.
It's incredibly hard to find on Google indeed!

smriti0321 · July 10, 2024, 3:02pm

Thank you for sharing your concern. I am part of the Elastic Security Product team, and we are developing a capability that will enable the agentless ingestion of logs, cloud account posture, and more. We are currently enrolling beta customers to test our agentless Cloud Security Posture Management (CSPM) Integration in Serverless. This is one of the many integrations that Elastic will offer in an agentless manner.

Given your interest in this approach, we would greatly appreciate your input and feedback during this early stage. Please let us know if you would be interested in becoming a beta tester for the agentless CSPM integration.

CtrlCloud-Jelle · July 10, 2024, 3:30pm

Yes please!

system · August 7, 2024, 3:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.