Elastic Agent

DEPRECATED

❌ Do not deploy Elastic Agent

✅ Deploy Vector instead

Install Elastic Agent

1. Install Elastic Agent either Fleet-managed or standalone

Create Policy

1. Create an Agent Policy

2. Add Integration

3. Select Custom UDP Logs

4. Configure Custom UDP Logs integration

5. Make sure to add your own private networks under custom configurations. It is recommended to add your own public facing IP address scope as well.

6. Save Integration

Deploy you policy.

• If you deployed Fleet-managed agent, just apply your new policy to your agent.

• If you deployed standalone agent, take your generated policy and modify your elastic-agent.yml accordinly.

You should end up with something like:

  - id: udp-udp-af7f0dce-57c0-498f-bc09-96ba51fd76a4
    name: fortinet.fortigate-1
    revision: 1
    type: udp
    use_output: default
    meta:
      package:
        name: udp
        version: 1.19.1
    data_stream:
      namespace: default
    package_policy_id: af7f0dce-57c0-498f-bc09-96ba51fd76a4
    streams:
      - id: udp-udp.generic-af7f0dce-57c0-498f-bc09-96ba51fd76a4
        data_stream:
          dataset: fortinet.fortigate
        host: '0.0.0.0:5140'
        pipeline: logs-fortinet.fortigate
        max_message_size: 50KiB
        tags:
          - preserve_original_event
        processors:
          - copy_fields:
              fields:
                - from: message
                  to: event.original
          - syslog:
              field: message
        fields_under_root: true
        fields:
          internal_networks:
            - private
            - loopback
            - link_local_unicast
            - link_local_multicast

Ingest Pipelines

Ingest Pipelines are not loaded by default with our script

Make sure to set LOAD_INGEST_PIPELINES to true

Performance tunning settings

Firewalls are very chatty, so it may overflow UDP buffers on your host leading to dropping logs.

Modify your Elasticsearch output settings for Optimized for throughput.

• If you deployed Fleet-managed agent, modify your Elaticsearch output Perfomance Tunnig setting for Throughput directly under your output configuration.
• If you deployed standalone agent, modify your Elaticsearch output preset setting for throughput on your elastic-agent.yml directly.

Depending on your Events per Second (EPS) volume, you may need to increase performance tuning settings even further.

• Run watch -d "column -t cat /proc/net/snmp | grep -w Udp" on your Elastic Agent host to check if you are dropping any logs.

Next Steps

1. Set up Elasticsearch

2. Import dashboards in Kibana

3. Start dancing with your logs!