From e84e5e1259db3ff1acb5fb82e3c68d18135b10ff Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Fri, 11 Apr 2025 11:54:13 -0400 Subject: [PATCH 1/2] Update warning for Elastic Defend with Remote ES cluster --- .../fleet-settings-remote-elasticsearch.asciidoc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc b/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc index 38ba8795d..f23b697a0 100644 --- a/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc +++ b/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc @@ -7,7 +7,16 @@ Beginning in version 8.12.0, you can send {agent} data to a remote {es} cluster. A remote {es} cluster supports the same <> as your main {es} cluster. -WARNING: A bug has been found that causes {elastic-defend} response actions to stop working when a remote {es} output is configured for an agent. This bug is currently being investigated and is expected to be resolved in an upcoming release. +[WARNING] +==== +There are currently some limitations with using {elastic-defend} when a remote {es} output is configured for an agent. These issues are currently being investigated and are expected to be resolved in an upcoming release: + +* {elastic-defend} response actions do not display results in the management cluster, instead the results go to the output cluster. +* Restrictions on workflows for Endpoint with the {security-app}: + +** Endpoint list page - Elastic Endpoint state documents go to the output cluster so the management cluster doesn't have access to their status. +** Endpoint exceptions - Endpoint exceptions need to be added in the management cluster. Alerts are sent to the output cluster but "Add Endpoint Exception" workflows don't currently work there. +==== NOTE: Using a remote {es} output with a target cluster that has {cloud}/ec-traffic-filtering-deployment-configuration.html[traffic filters] enabled is not currently supported. From 9d5ccc7e70a202f0c9d49cbaeab3a2a02f0c426e Mon Sep 17 00:00:00 2001 From: David Kilfoyle Date: Mon, 14 Apr 2025 09:49:33 -0400 Subject: [PATCH 2/2] Remove details --- .../fleet-settings-remote-elasticsearch.asciidoc | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc b/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc index f23b697a0..099f77f19 100644 --- a/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc +++ b/docs/en/ingest-management/fleet/fleet-settings-remote-elasticsearch.asciidoc @@ -7,18 +7,13 @@ Beginning in version 8.12.0, you can send {agent} data to a remote {es} cluster. A remote {es} cluster supports the same <> as your main {es} cluster. -[WARNING] -==== -There are currently some limitations with using {elastic-defend} when a remote {es} output is configured for an agent. These issues are currently being investigated and are expected to be resolved in an upcoming release: - -* {elastic-defend} response actions do not display results in the management cluster, instead the results go to the output cluster. -* Restrictions on workflows for Endpoint with the {security-app}: - -** Endpoint list page - Elastic Endpoint state documents go to the output cluster so the management cluster doesn't have access to their status. -** Endpoint exceptions - Endpoint exceptions need to be added in the management cluster. Alerts are sent to the output cluster but "Add Endpoint Exception" workflows don't currently work there. +[NOTE] ==== +Note the following restrictions with the remote {es} output: -NOTE: Using a remote {es} output with a target cluster that has {cloud}/ec-traffic-filtering-deployment-configuration.html[traffic filters] enabled is not currently supported. +* Using a remote {es} output with a target cluster that has {cloud}/ec-traffic-filtering-deployment-configuration.html[traffic filters] enabled is not currently supported. +* Using {elastic-defend} is currently not supported when a remote {es} output is configured for an agent. +==== To configure a remote {es} cluster for your {agent} data: