Fleet and Suricata for Elastic Security

Limoelou · January 26, 2022, 1:31pm

Hello,

I am a junior Cybersecurity Engineer and I have to build from scratch a SIEM that needs to monitor many hosts.

Until now, I had several agents (filebeat, auditbeat, winlogbeat, suricata) installed on several hosts to retrieve logs and send them to my elastic server.

But it is hard to manage and maintain on many hosts, so I tried Fleet to centralize the agents. It also makes the setup, management, and future integrations easier.

The configuration I was thinking of is: Installing the fleet agent and Suricata to monitor the network on each host.

My goal is to have an accurate detection system as well as be able to upgrade and maintain the agents in the future, and visualize the alerts in the Elastic Security tab of Kibana.

Do you think this configuration is viable to use with Elastic Security ? Is Fleet relevant enough regarding the alerts compared to having multiple agents ?

Also, should I use fleet to ingest the Suricata logs ?

Note : I am an entry-level user of ELK, I am still learning Fleet and everything !

Thank you for your time

Michael_Olorunnisola · January 26, 2022, 5:16pm

Hi @Limoelou - Thanks for reaching out. Your use case sounds like a perfect use case for Elastic Agent and a viable configuration to use with Elastic security. Suricata is generally available as an integration for the agent, and can be used to monitor the network on the hosts. You can see our integrations here: Integrations quick reference | Elastic Docs . Also, to help with your decision making process, feel free to read through the following section of our docs to confirm the agent meets your setup requirements as well. Beats and Elastic Agent capabilities | Fleet and Elastic Agent Guide [7.16] | Elastic

system · February 23, 2022, 5:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.