Forwarding logs to external network ELK cluster

Hi everyone,

I have a question about forwarding Beat data from a Customer's network to an offsite network. The idea is to get insight in the hosts data, retrieve those data with agents(Beats) and process them on a separate system within their network. Once processed, forward the data through a VPN Tunnel to the Elasticsearch cluster which will analyse the data.

I know it's really easy to set up the following situation: Hosts(auditbeat,packetbeat etc.) -> sends data directly to Elasticsearch over the VPN. This is not ideal, this would expose the external network CIDR and ES ip-address to those hosts.

A more ideal situation would be: Hosts -> sends data to forwarder within the same network -> forwarder sends data to offsite ES cluster.

I know Splunk has a forwarding/collector solution for this, I'm not sure if Elastic ever thought about this situation.

Thanks!

You can may be send the data to logstash and then ask logstash to send the data to elasticsearch?

Would that work for you?

That would mean we need to configure a server to run Logstash, right? Hosts will be sending their data to this specific server that reads, processes and forwards the data to an ES endpoint?

Yes.