Merge pull request #12116 from Security-Onion-Solutions/issue/12033

Issue/12033

salt/elasticfleet/defaults.yaml

@@ -1,5 +1,6 @@
 elasticfleet:
   enabled: False
+  enable_manager_output: True
   config:
     server:
       custom_fqdn: []

salt/elasticfleet/soc_elasticfleet.yaml

@@ -3,6 +3,12 @@ elasticfleet:
     description: You can enable or disable Elastic Fleet.
     advanced: True
     helpLink: elastic-fleet.html
+  enable_manager_output:
+    description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers.
+    advanced: True
+    global: True
+    forcedType: bool
+    helpLink: elastic-fleet.html
   logging:
     zeek:
       excluded:

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update

@@ -34,12 +34,17 @@ fi
 CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
 CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
 
+declare -a NEW_LIST=()
+
+{# If we select to not send to manager via SOC, then omit the code that adds manager to NEW_LIST #}
+{% if ELASTICFLEETMERGED.enable_manager_output %}
 # Create array & add initial elements
 if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
-    NEW_LIST=("{{ GLOBALS.url_base }}:5055")
+    NEW_LIST+=("{{ GLOBALS.url_base }}:5055")
 else
-    NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
+    NEW_LIST+=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
 fi
+{% endif %}
 
 # Query for FQDN entries & add them to the list
 {% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}