All about "Elastic Agent" in Elastic SIEM - Part 1
Elastic agent is an one stop solution for both collecting of data and also providing endpoint security. Single agent can be configured to collect different forms of data by adding necessary integrations on demand. It is way easier to configure and manage as all the chaos are handled by the stack itself.’
Components needed for a basic SIEM setup in Elastic stack
Elasticsearch
Kibana
Elastic Agent
Fleet server
Elasticsearch is the brain of Elastic stack. Kibana is a very powerful and easy to use UI where we can view and visualize the data that is present in elasticsearch. Elastic Agent and Fleet server are the ones about which we will focus on further.
Types of Elastic Agent (Based on installation):
Fleet managed Elastic Agent
The elastic agent is enrolled to a fleet server through which policy configuration and update can be performed remotely.
Standalone Elastic Agent
The elastic agent runs as standalone agent. For configuring the agent we must manually update the elastic-agent.yml file with updated configs. This is a tiresome work and it is always recommended to go with fleet managed elastic agents.
Building blocks of Elastic Agent
Policy
Outputs
Integrations
Policy
Policy refers to the configuration for elastic agent. Agent policies define the integrations you want to run and the hosts they should run on. You can assign a single Elastic Agent policy to multiple agents, simplifying large-scale configuration management. It contains the details about data inputs and details on where to sent the collected data to. It contains the settings in detail on which data must be collected, from where the data must be fetched, what are the preprocessing that must be performed. If the agent is managed by fleet then details about the fleet will also be available.
Integration
Elastic integrations simplify connecting Elastic with external services and systems, enabling quick insights and actions. They can gather new data sources and typically include ready-to-use assets like dashboards, visualizations, and pipelines for extracting structured fields from logs and events. This allows you to gain insights in just seconds.
When you add an integration, you configure inputs for logs and metrics, such as the path to your Nginx access logs. When you’re done, you save the integration to an Elastic Agent policy. The next time enrolled agents check in, they receive the update.
Outputs
The outputs specifies where to send data. You can specify multiple outputs to pair specific inputs with specific outputs.
Supported outputs are:
Elasticsearch
Kafka
Logstash
Fleet server
Fleet server is technically a elastic agent with a policy that has fleet server integration added to it. Fleet server is like a manager in an office. It is used to manage elastic agents( employees ). It acts as a communication hub between the Elastic Agent and the Elasticsearch cluster. It handles agent enrollment, configuration updates, and data ingestion, ensuring efficient and secure management of multiple agents. By using Fleet Server, administrators can simplify deployment and streamline agent management at scale.
Fleet provides a web-based UI in Kibana for centrally managing Elastic Agents and their policies.
The Agents page provides a view of agent health status, indicating which agents are healthy or unhealthy, along with the last check-in time. It also displays the Elastic Agent binary version and the associated policy.
We can see more about Elastic agent installation and about elastic endpoint in next part! Will update link here soon.
