If you have an Enterprise {stack} subscription, you can configure {agent} data to be sent to different outputs for different integration policies. Note that the output clusters that you send data to must also be on the same subscription level.
Integration-level outputs are very useful for certain scenarios. For example:
-
You can may want to send security logs monitored by an {agent} to one {ls} output, while informational logs are sent to a another {ls} output.
-
If you operate multiple {beats} on a system and want to migrate these to {agent}, integration-level outputs enable you to maintain the distinct outputs that are currently used by each Beat.
For each {agent}, the agent policy configures sending data to the following outputs in decreasing order of priority:
-
The output set in the integration policy.
-
The output set in the integration’s parent {agent} policy. This includes the case where an integration policy belongs to multiple {agent} policies.
-
The global, default data output set in the {fleet} settings.
To configure an integration-level output for {agent} data:
-
In {kib}, go to Integrations.
-
On the Installed integrations tab, select the integration that you’d like to update.
-
Open the Integration policies tab.
-
From the Actions menu next to the integration, select Edit integration.
-
In the integration settings section, expand Advanced options.
-
Use the Output dropdown menu to select an output specific to this integration policy.
-
Click Save and continue to confirm your changes.
To view which {agent} output is set for an integration policy:
-
In {fleet}, open the Agent policies tab.
-
Select an {agent} policy.
-
On the Integrations tab, the Output column indicates the output used for each integration policy. If data is configured to be sent to either the global output defined in {fleet} settings or to the integration’s parent {agent} policy, this is indicated in a tooltip.