Elasticsearch Replication
Located under Settings > Integrations, Elasticsearch Replication enables the configuration of Result data replication to an external Elasticsearch database for independent, long-term storage and data analysis.
INFO: Upgrade Feature - Elasticsearch ReplicationThe ability to configure and use Elasticsearch Replication requires an upgraded plan. Please see https://www.sandflysecurity.com/get-sandfly/🡵 for details.
If you wish to additionally ingest Host asset and SSH key data, plus have more control over ingestion, consider our third-party Elastic Connector.

Elasticsearch Replication Form
Elasticsearch Replication Form
The Edit button opens a form containing the following configurable fields:
- Elastic Replication Enabled - Set this to
trueto enable the Elasticsearch Replication and provide access to its settings. - URL - The replication URL of the external Elasticsearch server, which must follow the standard URL format of
<PROTOCOL>://<HOSTNAME>:<PORT>/like in the reference image. - Server CA Certificate (optional) - If the external Elasticsearch server uses a certificate from a private CA or is self-signed, provide the trusted certificate in PEM format in this field.
- Username (optional) - If using username/password authentication, enter the Elasticsearch username. If using API Key authentication, you must enter the literal value
api_keyin this field. - Password (optional) - If username/password authentication is used, enter the external Elasticsearch password associated with the specified username. If API Key authentication is used, enter the API Key as the Password.
- Summary Results (optional) - Enable to send the result summary JSON data rather than the full JSON data. Note that the summary JSON data only includes basic information about the alert and does not include most of the details included in the full JSON data. This setting applies to all new Alerts and Pass results.
- Duplicate Alerts (optional) - Enable to send duplicate alerts when the alert last seen time is updated. Note: this only applies to Alerts and not Pass results. The last seen time is updated when an existing alert is triggered and updated with new information. This will result in a larger volume of data since the alert may be triggered each time a scan is performed on the target system.
- Summary Duplicate Alerts (optional) - Enable to send the result summary JSON data for duplicate alerts rather than the full JSON data. Note that the summary JSON data only includes basic information about the alert and does not include most of the details included in the full JSON data. This setting only applies to duplicate Alerts and does not affect new Alerts or new Pass results.
With correct settings and replication enabled, the Sandfly server will automatically create and maintain an index within Elasticsearch called sandfly_results. No additional configuration in Elasticsearch is required.
Updated about 12 hours ago