Auditbeat vs elastic endpoint for collecting network traffic from server

Hi all.
I'm trying to migrate from auditbeat to elastic endpoint and most of every module is ok except for the network.
I notice that elastic-endpoint connect network traffic a lot less that auditbeat.
After some investigation i appear that elasitc-endpoint does not log traffic from other server that connect to the server via some process while auditbeat can do that.

Can someone explain to me how that work and how enable endpoint to collect the network traffic from other server connect to the endpoint as well.

Thanks for your help.

Hi @lusynda!

Have you taken a look at the Elastic Agent Network integration? With this integration, it is possible to collect netflow and other network protocols for a better detailing of events.

Follow the link to this integration Network Packet Capture | Elastic docs

You can also use the FIM integration for auditbeat migration:

After trying the network,
i'm still feel like that is not like that with auditbeat.
For ex:
from 1 of the client i use telnet command to telnet the server on port 443.
With auditbeat that traffic is loged successfully but with both endpoint and network integration that connection is not loged at all.

Is there a way to config the network to capture all traffic to the end server like that of auditbeat.

In the Network integration, did you enable the netflow function? In fact, for some auditing features, auditbeat is still the most recommended. Did you also enable FIM integration?

I have enable the netflow function but still no good.

What do you mean by this, i though endpoint was suppose to be better than auditbeat. Can you specified which part does auditbeat do better that elastic agent integrations.

I'm trying it todays.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.