Dears,
i would like to know how can i choose which index i forward data to it from my devices
for example if i would like to ingrate Active Directory Cisco Juniper Logs
which index i should choose from default indexes that came with Security Enterprise APP
ES doesn't require data to be in a particular index in order to be searchable. Instead, ES performs it searches using data-models (based on tags), as opposed to looking for data in particular indexes. This was done so that you could put your data in whatever indexes you like.
Put your data in a separate index when you want:
The key to getting ES to see you data is making sure that:
ES doesn't require data to be in a particular index in order to be searchable. Instead, ES performs it searches using data-models (based on tags), as opposed to looking for data in particular indexes. This was done so that you could put your data in whatever indexes you like.
Put your data in a separate index when you want:
The key to getting ES to see you data is making sure that:
I wouldn't choose any default indexes. You need to plan your index names inline with your organisation structure. Eg if my company is Amazon, then my index names would be like
amz_os_windows, amz_os_linux, amz_network_cisco, amz_network_juniper etc
So in future if u want to give access for network team/role u can give amz_network* to that roke
you are talking about default index name in case there is no APP but the case here is that Security APP has default indexers and we must insert data in Correct Indexer to be able for dashboards to populate Data
The data still can be in u specified indexes. All you need to make is to use CIM standards and accurate sourcetype and ES will take them automatically
So why are there default Indexes in Enterprise Security?
The indexes that ship with ES are created for internal use, and may be provided for supporting legacy installations that have upgraded from prior releases. As an example, when a notable event is generated by a correlation search, the results are written to the 'notable' index before being displayed in the Incident Review dashboard.
Many thanks for your support