2.4.120 - elastic agent integrations placement

[udi-mosh]

Version

2.4.120

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

24

RAM

128

Storage for /

500GB

Storage for /nsm

6TB

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi All,
i would appreciate a clarification regarding the integrations.
for ex., if i want to collect azure logs, can i install an agent on a server residing in the DMZ or should i configure the management agent much like logs from fortigate or cisco devices ?
from what i remember, to be able to parse logs effectively, i need to forward them to where the logstash (hope i am not wrong) is residing and for my installation, it resides on the manager\search node.
10x

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[udi-mosh]

just read the documentation again and to correct my self, i understand that i need the elasticsearch and not the logstash to parse.
still, appreciate the clarification.

[InfosecGoon]

If you want to pull down and ingest logs from a cloud service like Azure, you can do it from any Elastic Agent that's reporting back to your Security Onion installation. It doesn't have to be a member of the SO grid, it can be any device on which you've installed the agent.

Simply duplicate the Agent Policy that's already there (so-grid-nodes-general for an SO host, endpoints-initial for a non-SO host), and add the integration for Azure with the relevant details.

[udi-mosh]

@InfosecGoon thank you very much. this is what i was hoping to hear.