Does Malcolm support the use of remote logstash instances？

idaholab / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.

https://idaholab.github.io/Malcolm/

Other

354 stars 58 forks source link

Does Malcolm support the use of remote logstash instances？ #549

Closed alleniverson33 closed 1 month ago

alleniverson33 commented 1 month ago

If Inscribe

mmguero commented 1 month ago

I'm not sure what that would buy you, as that would skip all of the enrichment that's in Malcolm's logstas pipeline. Malcolm maintains its own internal logstash instance, which in-turn can forward to its own local OpenSearch instance or a remote OpenSearch or Elasticsearch instance.

On the other hand, if your question is whether or not the Hedgehog Linux sensor can forward Zeek/Suricata logs to another logstash instance that's not Malcolm, then yes I suppose it could be configured to do so.

alleniverson33 commented 1 month ago

Thanks for you answer