Implementing Elastic Agent on Multiple Endpoints

Elastic Stack Elastic Agent
1

I’m sorry, I’ve really run out of ideas on how to implement Elastic Agents on multiple endpoints and send the monitoring logs to the Elastic Stack.

The architecture of my experimental environment consists of three Ubuntu virtual machines, with the traffic flow as follows: VM1 → VMSuricata → VM2.

* VM1: traffic sender (ens33: 192.168.10.100)

* VMSuricata: gateway (ens37: 192.168.10.2, ens38: 192.168.20.2)

* VM2: traffic receiver (ens33: 192.168.20.100)

On VMSuricata, I have deployed Elastic Stack 7.17.16 (Elasticsearch + Filebeat + Kibana) to collect and visualize the traffic events and alerts captured by Suricata. However, now I also want to deploy Elastic Agents on VM1 and VM2 in order to collect the sender-side traffic logs (on VM1) and receiver-side traffic logs (on VM2), and then forward this data into the Elastic Stack on VMSuricata for visualization.

I have tried several methods but none of them worked. My questions are:

* With this architecture and Elastic Stack version (7.17.x), is my goal actually achievable?

* Or should I shift to Elastic Stack 8.x instead?

If anyone has guidance, or can recommend some documentation or webpages that could help me achieve this, I would greatly appreciate it. Thank you so much!

image
image714×711 84.3 KB

2

Hello,

If you are just starting, it would be better to start with version 8.19.2 or 9.1.2, version 7.X is not supported anymore.

What exactly is your issue? It is not clear.

3

Dear Leandro,

Thank you for your reply! I’m still quite new to Elastic. As you mentioned, version 7.x is no longer supported, so I’ll try upgrading to 8.19.2.

My first requirement is to visualize Suricata alerts and event logs with the Elastic Stack. To achieve this, I mainly followed the instructions in this tutorial: https://www.digitalocean.com/community/tutorials/how-to-build-a-siem-with-suricata-and-elastic-stack-on-ubuntu-20-04, where I deployed Elasticsearch, Filebeat, Kibana, and Suricata on a single virtual machine (VMSuricata).

If I upgrade to 8.19.2, while also leaving room for Suricata log integration and the implementation of Elastic Agents on other virtual machines, what tutorials or documentation would you recommend?

Thank you in advance!