General questions about SO tech stack

[LeoSysAdminThatCodes]

Contexts I have stood up an import node in AWS using Ubuntu and cloud formation. Im leading toward using a distributed model, but might use standalone depending on SO's limitations and how this evaluations goes.

1. Can I automate importation of logs from cloud SaaS products into SO? If so what does that process look like?
2. Is it that SO can only inject logs where filebeat can be installed, therefore only on prem devices and onprem cloud devices?\

Based on what I see in the documentation I have to install filebeat and have that move the logs around, zeek is also used to endpoints to gather data. then once the logs get into SO it uses dashboards, hunt and kibana+graphana to display them. How am I doing so far? Please correct me if Im wrong. Are there diagrams or visuals that show these tech stack/flow/process?

[InfosecGoon]

You can automatically import logs from cloud platforms that have a corresponding Filebeat module, like AWS or Azure.

Documentation here:

• https://docs.securityonion.net/en/latest/filebeat.html#modules
• https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules.html

The data flow in a distributed deployment is something like this:

1. The zeek and suricata processes running on a Forward Node write logs to disk.
2. Those logs are picked up by Filebeat on the Forward Node and sent to Logstash on the Manager Node.
3. Logstash puts those logs into a Redis queue.
4. That queue is emptied by the Logstash processes running on the Search Nodes.
5. The Search Nodes parse the logs they pull from the queue and write them to Elasticsearch indices.

Documentation here:

• https://docs.securityonion.net/en/latest/ingest.html