Elasticsearch - get logs from DMZ

Hi ,
we have Elasticsearch cluster and now we want to stream logs from DMZ environment to there which isn't allowed by InfoSec purpose. Only allowed method of pull from the DMZ.
What's the preferred option in such case ?
we thought of several options and would like to get what's the best practice -

  • Asynchronous mechanism - send the logs to some queue / Container / Kafka and pull it from there - lot of components involved and performance issues

  • Cross Site Replication - create ECK or other deployment of Elasticsearch on the DMZ and send the logs there , and later replicate the indices to the original cluster - is that approach correct or it can have performance issues ? can you control the direction of where to replicate from ? can you view the logs in the target cluster after some time ?

  • Create ECK or other deployment of Elasticsearch on the DMZ and Have Kibana look at the remote cluster logs using Remote Cluster Search , is that something that you can recommend on ?

in the options of creating ECK cluster in the DMZ - can we use a Standard / Basic edition instead of the Enterprise ?


Pulling from the DMZ is tricky as there's not really a native way to do this in the stack.

You could definitely setup 2 clusters and then tell the DMZ one to replicate that to the external one, as CCR can be one way. CCS might also tick this box as you can run your searches on the non-DMZ cluster and then it pulls results from the DMZ one.

Thanks for replying ,
we are thinking of the cross site search option , having Kibana look at the indices of the remote cluster on the DMZ ... we understand that Basic version of the Elasticsearch can be installed on the DMZ for that purpose of storing the data and the nodes to be configured as remote_cluster_client
Do you find any issues with that ?

You should be good then :slight_smile: