Resources, events, news

Elasticsearch for enterprise security log storage and management is a hot topic today. Specular gains in performance, functionality and cost are ready for harvest. But what exactly does it take to create a large Ela stic log storage infrastructure?

This talk will present war stories related to at 150,000 events per second (EPS) Elastic log storage implementation with two-month retention built at a large commercial client. We take you through sizing, design, staffing and cost; discuss architecture, storage density and ingestion: and share our gotchas and lessons learned. We also touch on evidentiary-quality log storage for compliance. Curious about what it would take for Elastic to hold your security logs? This 55-minute video shows you the way.

The LogStash MaxMind filter enriches documents with GeoIP information from the open source MaxMind database. But you can also customize this filter to enrich documents with all kinds of other IP-related data.

MaxMind uses its own database, which enables very fast searching based on IP address. We’ve found that this is the very best way to retrieve any type of IP-based information and store it upon ingestion without impacting performance.

In this 38-minute video, we demonstrate how to create customized instances of the MaxMind database and associated LogStash filters to enrich documents with all all kinds of other information, such as internal network descriptors, individual internal endpoints and threat intel on external IPs.