Skip to content

5. Architecture

Jump to bottom
Hariom Chaturvedi edited this page Aug 15, 2021 · 1 revision

PcapMonkey Architecture

As mentioned before, PcapMonkey works on the Elastic Stack along with Suricata and Zeek. Various components of PcapMonkey are:

  • Elasticsearch
  • Filebeat
  • Kibana
  • Suricata
  • Zeek
  • evtxtoelk

Its architecture is well depicted in the diagram below: PcapMonkey Architecture

Suricata

Suricata is a high-performance, open-source Network IDS, IPS, and Network Security Monitoring engine.

Suricata processes packet capture files and outputs alerts, anomalies, metadata, file info, and protocol-specific records through eve.json. The contents of this JSON file are collected by Filebeat and shipped to Elasticsearch.

Zeek

Zeek is a passive, open-source network traffic analyzer. A few of its features are the compatibility of an extensive set of logs describing network activity and extracting files from HTTP sessions.

Similar to Suricata, logs generated by Zeek are collected by Filebeat and shipped to Elasticsearch.

evtxtoelk

Evtxtoelk is a lightweight tool to load Windows Event Log files data into Elasticsearch. evtxtoelk processes .evtx files and extracts data, which is then converted to the ECS format and shipped to Elasticsearch.

Filebeat

Filebeat is a lightweight shipper for forwarding and centralizing log data. It monitors the log files or locations generated by Suricata and Zeek, collects log events, and forwards them either to Elasticsearch or Logstash for indexing in ECS Format.

For more information check How filebeat works

Elasticsearch

Elasticsearch is the distributed search and analytics engine at the heart of the Elastic Stack. It can efficiently store and index it in a way that supports fast searches.

Elasticsearch stores and indexes the data coming from filebeat. Kibana helps in visualizing this data.

Kibana

Kibana enables users to give shape to the data. With Kibana, one can:

  • Search, observe, and protect. From discovering documents to analyzing logs to finding security vulnerabilities, Kibana is your portal for accessing these capabilities and more.
  • Visualize and analyze your data. Search for hidden insights, visualize what you’ve found in charts, gauges, maps, and more, and combine them in a dashboard.
  • Manage, monitor, and secure the Elastic Stack. Manage your indices and ingest pipelines, monitor the health of your Elastic Stack cluster, and control which users have access to which features.
Clone this wiki locally