Beats/filebeat to 2.4 node (ex. SUricata running on external firewall)

[thedeadliestcatch]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

64

RAM

1TB

Storage for /

30PTB

Storage for /nsm

30PTB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

There is no documentation for 2.4 related to using beats/filebeat to supply logs from, for example, Suricata running on external firewalls. This is still the only way to support Suricata/Snort/etc in pfSense and similar products, as Elastic Agent is not supported on *BSD.

Some documentation helping users configure it safely would be a good idea (TLS, authenticated).

I understand that the ideal setup is to use forward nodes and port mirroring/capture cards (or even an entirely isolated solution replaying traffic into a NIC that goes to a SO node NIC directly). But this is not realistic for many users.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.