Hello Everyone,
Been stuck on this issue for a while and wondering if anyone can provide me some more information on what could be going on here.
I set up the Suricata integration using fleet server, elastic agent, Kibana and Elasticsearch on one node. The server being used has the following specifications-
Intel(R) Xeon(R) CPU E5-2640 v4 @ 2.40GHz CPU @ 2.4GHz 20 cores
62.6 GB of RAM
7TB SSD
The output of the eve.json from Suricata is quite large and is being generated at a large rate.
The issue I am having is the index created by the Suricata integration is showing to be behind the actual time of when logs are being generated. When I delete the eve.json file and create it again, the index is able to catch back up and stay up to time for about 30 seconds, then it just gets farther and farther behind.
I have provided screenshots of the index monitoring attached to the form.