Hi, let's talk about the config first: elk 7.17.5 (8 cpu, 20 ram, 2.5T disk space) and another host with filebeat 7.17.8 with zeek and suricata module enabled.
I am using suricata and zeek as ids, i noticed that suricata has different @timestamp and event.created time, for example i have:
event.created Jan 12, 2023 @ 20:26:17.472
event.end Jan 12, 2023 @ 11:26:06.081
event.ingested Jan 12, 2023 @ 20:26:23.816
event.original
{"timestamp":"2023-01-12T11:27:29.599060+0300"
My filebeat config:
scan_frequency: 1s
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["https://192.168.1.8:9200"]
username: "elastic"
password: "password"
ssl.verification_mode: "none"
indices:
- index: "filebeat-7.17.8-suricata-%{+yyyy.ww}"
when.equals:
event.module: "suricata"
- index: "filebeat-7.17.8-zeek-%{+yyyy.ww}"
when.equals:
event.module: "zeek"
setup.template.name: "filebeat-7.17.8"
setup.template.pattern: "filebeat-7.17.8-*"
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 0
I also use the same interface for sniffing and transmission (maybe this is important).
There are still not enough resources to monitor the system on the host with filebeat and elk.
If you need clarification, please ask