Ingest¶
Here’s an overview of how logs are ingested in various deployment types.
Import¶
Core Pipeline: Elastic Agent [IMPORT Node] –> Elasticsearch Ingest [IMPORT Node]
Logs: Zeek, Suricata
Eval¶
Core Pipeline: Elastic Agent [EVAL Node] –> Elasticsearch Ingest [EVAL Node]
Logs: Zeek, Suricata, Osquery/Fleet
Osquery Shipper Pipeline: Osquery [Endpoint] –> Fleet [EVAL Node] –> Elasticsearch Ingest via Core Pipeline
Logs: WEL, Osquery, syslog
Standalone¶
Core Pipeline: Elastic Agent [SA Node] –> Logstash [SA Node] –> Redis [SA Node] <–> Logstash [SA Node] –> Elasticsearch Ingest [SA Node]
Logs: Zeek, Suricata, Osquery/Fleet, syslog
WinLogbeat: Winlogbeat [Windows Endpoint]–> Logstash [SA Node] –> Redis [SA Node] <–> Logstash [SA Node] –> Elasticsearch Ingest [SA Node]
Logs: WEL, Sysmon
Fleet Standalone¶
Pipeline: Elastic Agent [Fleet Node] –> Logstash [M | MS] –> Elasticsearch Ingest [S | MS]
Logs: Osquery
Manager (separate search nodes)¶
Core Pipeline: Elastic Agent [Fleet | Forward] –> Logstash [Manager] –> Redis [Manager]
Logs: Zeek, Suricata, Osquery/Fleet, syslog
WinLogbeat: Winlogbeat [Windows Endpoint]–> Logstash [Manager] –> Redis [Manager]
Logs: WEL
Manager Search¶
Core Pipeline: Elastic Agent [Fleet | Forward] –> Logstash [MS] –> Redis [MS] <–> Logstash [MS] –> Elasticsearch Ingest [MS]
Logs: Zeek, Suricata, Osquery/Fleet, syslog
Pipeline: Elastic Agent [MS] –> Logstash [MS] –> Elasticsearch Ingest [MS]
Logs: Local Osquery/Fleet
WinLogbeat: Winlogbeat [Windows Endpoint]–> Logstash [MS] –> Elasticsearch Ingest [MS]
Logs: WEL
Heavy¶
Pipeline: Elastic Agent [Heavy Node] –> Logstash [Heavy] –> Redis [Heavy] <–> Logstash [Heavy] –> Elasticsearch Ingest [Heavy]
Logs: Zeek, Suricata, Osquery/Fleet, syslog
Search¶
Pipeline: Redis [Manager] –> Logstash [Search] –> Elasticsearch Ingest [Search]
Logs: Zeek, Suricata, Osquery/Fleet, syslog
Forward¶
Pipeline: Elastic Agent [Forward] –> Logstash [M | MS] –> Elasticsearch Ingest [S | MS]
Logs: Zeek, Suricata, syslog