Located under Settings > Integrations, Elasticsearch Replication enables the configuration of Result data replication to an external Elasticsearch database for independent, long-term storage and data analysis.

ℹ️

INFO: Upgrade Feature - Elasticsearch Replication

The ability to configure and use Elasticsearch Replication requires an upgraded plan. Please see https://www.sandflysecurity.com/get-sandfly/🡵 for details.

If you wish to additionally ingest Host asset and SSH key data, plus have more control over ingestion, consider our third-party Elastic Connector.

Elasticsearch Replication Form

The Edit button opens a form containing the following configurable fields:

• Elastic Replication Enabled - Set this to true to enable the Elasticsearch Replication and provide access to its settings.
• URL - The replication URL of the external Elasticsearch server, which must follow the standard URL format of <PROTOCOL>://<HOSTNAME>:<PORT>/ like in the reference image.
• Server CA Certificate (optional) - If the external Elasticsearch server uses a certificate from a private CA or is self-signed, provide the trusted certificate in PEM format in this field.
• Username (optional) - If using username/password authentication, enter the Elasticsearch username. If using API Key authentication, you must enter the literal value api_key in this field.
• Password (optional) - If username/password authentication is used, enter the external Elasticsearch password associated with the specified username. If API Key authentication is used, enter the API Key as the Password.

With correct settings and replication enabled, the Sandfly server will automatically create and maintain an index within Elasticsearch called sandfly_results. No additional configuration in Elasticsearch is required.