Im very very new to the Elasticsearch and i have just started to use it. I installed the OpenDistro 7.10.2 version with the wazuh plugin and so far im getting Host logs successfully. But i need to add Network Based detection as well.
Our company has multiple fortinet firewalls (fortigate) and i want to send netflow logs to FileBeat-OSS or ZEEK and then to ElasticSearch.
So far i can only find the modules in regular filebeat but not in the OSS version and as far as i know i can’t connect normal filebeat to OpenDistro for ES.
Is there any advice or workaround that i can use??
You might want to consider ElastiFlow. The Basic Tier license is free. Fortinet doesn’t send any vendor-specific fields, so unless you a larger number of flows/sec, the Basic license should be fine.
So i could replace my filebeat(and other beats) + logstash with this? Could elastiFlow be the focal point of incoming netflows from cisco, fortigate and wifi etc etc?
Actually to be precise i want to analyze incoming data with zeek/suricata rules and send alerts and visualize the data to kibana. If elastiFlow can do that then im all for it.
Sorry, I should have been more specific. ElastiFlow is for Netflow, IPFIX and sFlow. It would handle the Netflow data from Fortinet.
For Suricata you might want to take a look at an older project of mine… https://github.com/robcowart/synesis_lite_suricata
It will require some updates for the latest versions of OpenSearch and Logstash, but should provide a reasonable starting place.