[Website]: Lack of clarification on scope for Zscaler ZIA Integration running on agentless #4169
Description
Type of issue
Missing information
What documentation page is affected
https://www.elastic.co/docs/reference/integrations/zscaler_zia
What happened?
Hello, team!
A customer submitted a support case to clarify the scope for the Zscaler ZIA Integration running on agentless. They'd like to
They'd like to confirm whether the Zscaler Internet Access agentless integration only ingests Sandbox report events or also ingests any access logs, such as audit, firewall, DNS, or DLP logs, as detailed in the agent-based integration.
Per https://github.com/elastic/sdh-beats/issues/6690, it was confirmed that the only data source available when this integration works in agentless mode is the Sandbox Report data stream, as it runs the CEL input in the background, which is compatible with agentless mode.
Neither TCP nor HTTP Endpoint inputs are compatible with agentless mode at this time, so any data streams that depend on them cannot work in agentless deployments either.
We think some improvements in our docs should be addressed here:
- It should be easier to find a clear list of Filebeat inputs that are currently supported in agentless mode
- For an integration like this one, where only one of eight existing data streams is supported in agentless mode, suggesting in the integration's docs that this integration supports agentless doesn't seem accurate enough.
Additional info
No response