Here's an overview of how logs are ingested in various deployment types.
Core Pipeline: Elastic Agent [IMPORT Node] --> Elasticsearch Ingest [IMPORT Node]
Logs: Zeek, Suricata
Core Pipeline: Elastic Agent [EVAL Node] --> Elasticsearch Ingest [EVAL Node]
Logs: Zeek, Suricata
Core Pipeline: Elastic Agent [SA Node] --> Logstash [SA Node] --> Redis [SA Node] <--> Logstash [SA Node] --> Elasticsearch Ingest [SA Node]
Logs: Zeek, Suricata, syslog
Elastic Agent: Elastic Agent [Windows Endpoint]--> Logstash [SA Node] --> Redis [SA Node] <--> Logstash [SA Node] --> Elasticsearch Ingest [SA Node]
Logs: WEL, Sysmon
Pipeline: Elastic Agent [Fleet Node] --> Logstash [M | MS] --> Elasticsearch Ingest [S | MS]
Logs: Elastic Agent
Core Pipeline: Elastic Agent [Fleet | Forward] --> Logstash [Manager] --> Redis [Manager]
Logs: Zeek, Suricata, syslog
Elastic Agent: Elastic Agent [Windows Endpoint]--> Logstash [Manager] --> Redis [Manager]
Logs: WEL, Sysmon
Core Pipeline: Elastic Agent [Fleet | Forward] --> Logstash [MS] --> Redis [MS] <--> Logstash [MS] --> Elasticsearch Ingest [MS]
Logs: Zeek, Suricata, syslog
Pipeline: Elastic Agent [MS] --> Logstash [MS] --> Elasticsearch Ingest [MS]
Logs: Local Elastic Agent
Elastic Agent: Elastic Agent [Windows Endpoint]--> Logstash [MS] --> Elasticsearch Ingest [MS]
Logs: WEL, Sysmon
Pipeline: Elastic Agent [Heavy Node] --> Elasticsearch Ingest [Heavy]
Logs: Zeek, Suricata, syslog
Pipeline: Redis [Manager] --> Logstash [Search] --> Elasticsearch Ingest [Search]
Logs: Zeek, Suricata, syslog
Pipeline: Elastic Agent [Forward] --> Logstash [M | MS] --> Elasticsearch Ingest [S | MS]
Logs: Zeek, Suricata, syslog