I have the following self hosted setup on ELK stack 8.6.1 :
Firewall (logs) --> Filebeat --> Logstash --> Elasticsearch Cluster
I am trying to integrate FIleBeats Threat Intel Module into this setup so that IOCs in logs can be identified.
Can this be done using the existing Filebeat instance or does it require a separate dedicate instance of Filebeat?
The present filebeat.yml has output enabled for logstash:
output.logstash: hosts: ["192.168.1.1:5144"]
I am assuming that to integrate Threat Intel data, the threat feed would be sent directly to Elasticsearch whereas the Firewall logs would reach Elasticsearch via Logstash. This is because the logs are being enriched/filtered using logstash filters.
In Filebeat.yml, if we enable Elasticsearch output in addition to the existing Logstash output so as to send Threat intel feed to Elasticsearch, how will filebeat decide which data (logs, threat intel) goes where?
I have tried following the official documentation. However, I am not able to figure out how the Threat Intel feed can be integrated into the existing setup.
What could i possibly be missing here?