I am a junior Cybersecurity Engineer and I have to build from scratch a SIEM that needs to monitor many hosts.
Until now, I had several agents (filebeat, auditbeat, winlogbeat, suricata) installed on several hosts to retrieve logs and send them to my elastic server.
But it is hard to manage and maintain on many hosts, so I tried Fleet to centralize the agents. It also makes the setup, management, and future integrations easier.
The configuration I was thinking of is: Installing the fleet agent and Suricata to monitor the network on each host.
My goal is to have an accurate detection system as well as be able to upgrade and maintain the agents in the future, and visualize the alerts in the Elastic Security tab of Kibana.
Do you think this configuration is viable to use with Elastic Security ? Is Fleet relevant enough regarding the alerts compared to having multiple agents ?
Also, should I use fleet to ingest the Suricata logs ?
Note : I am an entry-level user of ELK, I am still learning Fleet and everything !
Thank you for your time