Elastic Agent

From https://www.elastic.co/elastic-agent:

With Elastic Agent you can collect all forms of data from anywhere with a single unified agent per host. One thing to install, configure, and scale.

Each Security Onion node uses the Elastic Agent to transport logs to Elasticsearch. You can also deploy the Elastic Agent to your endpoints to transport logs to your Security Onion deployment.



In order to receive logs from the Elastic Agent, Security Onion must be running Logstash. Evaluation Mode and Import Mode do not run Logstash, so you’ll need Standalone or a full Distributed Deployment. In a Distributed Deployment, forward nodes do not run Logstash, so you’ll need to configure agents to send to your manager or receiver nodes. For more information, please see the Architecture section.

To deploy an Elastic agent to an endpoint, go to the Security Onion Console (SOC) Downloads page and download the proper Elastic agent for the operating system of that endpoint. Don’t forget to allow the agent to connect through the firewall by going to Administration –> Configuration –> firewall –> hostgroups.


Once there, select the elastic_agent_endpoint option.


Once the agent starts sending logs, you should be able to find them in Dashboards, Hunt, or Kibana.


You can manage your agents using Elastic Fleet.

Live Queries

You can query your agents in realtime using Osquery Manager.


You can read more about integrations in the Elastic Fleet section and at https://docs.elastic.co/integrations.

More Information


For more information about the Elastic Agent, please see https://www.elastic.co/guide/en/fleet/current/fleet-overview.html.