Index / Index Templates

[secuser12]

Hello everyone,

We are currently planning to completely restructure our Security Onion environment. We have a few questions about this and would like to draw on your experience.
In our old environment (Security Onion 2.3.x), we collected all data such as applications, Windows event logs, firewall and Sysmon in an index that was recreated every day.
The data was sent from the Windows systems to a Windows event forwarder via group policy and from there forwarded to a security onion receiver via the Winlogbeat agent.
We did not use an index template for this index.

Our new environment will be installed with Security Onion 2.4.
We now want to create several indexes for different applications, Sysmon and Windows systems and then assign them to the appropriate index templates.
We hope that our data will be enriched with the right information.
The data should continue to be collected via the existing event forwarders.

We currently don't have much experience with Security Onion, so here are our questions:

• Does it make sense to create a separate index for each product (e.g. Firewall, Sysmon, Windows Events, Syslog)?
• How can we create these indexes and assign the index templates?
• How can we configure the systems, e.g. the firewall Checkpoint, Windows Events, Sysmon, so that they only send their logs to the appropriate index?

[weslambert]

I would try to leverage as many supported Elastic integrations as possible.

https://docs.securityonion.net/en/2.4/elastic-fleet.html#integrations

This will reduce the amount of custom configuration needed.

You will need to use Elastic Agent vs. Filebeat for Security Onion 2.4.