With Elastic Agent you can collect all forms of data from anywhere with a single unified agent per host. One thing to install, configure, and scale.
Each Security Onion node uses the Elastic Agent to transport logs to Elasticsearch. You can also deploy the Elastic Agent to your endpoints to transport logs to your Security Onion deployment.
In order to receive logs from the Elastic Agent, Security Onion must be running Logstash. Evaluation Mode and Import Mode do not run Logstash, so you’ll need Standalone or a full Distributed Deployment. In a Distributed Deployment, forward nodes do not run Logstash, so you’ll need to configure agents to send to your manager or receiver nodes. For more information, please see the Architecture section.
To deploy an Elastic agent to an endpoint, go to the Security Onion Console (SOC) Downloads page and download the proper Elastic agent for the operating system of that endpoint. Don’t forget to allow the agent to connect through the firewall by going to Administration –> Configuration –> firewall –> hostgroups.
Once there, select the
For more information about the Elastic Agent, please see https://www.elastic.co/guide/en/fleet/current/fleet-overview.html.