Elastic Fleet - Agent communication diagram

[innovate-support]

Version

2.4.30

Installation Method

Network installation on Debian

Description

other (please provide detail below)

Installation Type

Distributed

Location

other (please provide detail below)

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

16

Storage for /

320

Storage for /nsm

320

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm replacing our 2.3 Distributed Grid with new 2.4 systems, and I've been reading and trying to understand the new ways of collecting Endpoint data using Elastic Agent, which is different than the way 2.3 functions with Wazuh Endpoint Agents. I have a new ManagerSearch VM on Linode, with remote ForwardSensor VM's running on various ESXi servers. All installed perfectly and work like magic. But my main question is 'do Elastic Endpoint Agents only stream their logs directly to the Manager, or can they be configured to send to Forward Sensors?'

I have installed some Elastic Agents onto some Endpoints using the pre-built installer found in the Downloads page of the SO web gui. Again, all worked like magic, but the Elastic Agent logs show it sending directly to the Manager, instead of the ForwardSearch VM that is on the same subnet as the Endpoint (which is how Wazuh did it). Can someone please advise me? Or point me to some How-To's? Or make a video of how to do this? Or is this just how it works and trying to have Endpoint Agents send their streams to their nearest ForwardSensor is not how it works anymore?

Side note: I fully intend to purchase the Training in the hopes that this topic gets covered, but as of this moment there's no 2.4 courses available. https://onlinetraining.securityonionsolutions.com/p/security-onion-in-production/

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[robbiemarshall]

Elastic Agent ships logs to Logstash. Since Logstash is normally only found on the manager node, this necessitates that logs are sent to the manager node and not forward nodes. You can find more documentation here: https://docs.securityonion.net/en/2.4/elastic-agent.html However another option would be to install an Elastic Fleet Standalone node and point your Elastic Agents there, which might fit your use case better. This will be an option in the installation whiptail after you select Distributed then Existing Deployment.