Monitoring & Threat Detection

The VNTD environment integrates a centralized monitoring system responsible for processing and visualizing network events across the simulated enterprise network.

The monitoring architecture relies on a single node called logwatch, which integrates several industry-standard open-source tools.

Monitoring Pipeline

flowchart LR

Traffic[Mirrored Traffic] --> Suricata

Suricata --> Logs[EVE JSON Logs]

Logs --> Filebeat

Filebeat --> Elasticsearch

Elasticsearch --> Kibana

The monitoring pipeline follows an architecture designed around logs, where traffic is inspected, transformed into structured events, indexed, and finally visualized.

graph LR
    A[Traffic Source] -->|iptables TEE| B[Suricata IDS]
    B -->|JSON Logs| C[Filebeat]
    C -->|Ingest| D[Elasticsearch]
    D -->|Query| E[Kibana Dashboard]

    subgraph "Detection Service"
    B
        subgraph "Log Processing"
        C
        D
        E
        end
    end

Ass seen, the node is divided into two primary functional areas: - IDS that inspects mirrored traffic from the firewall and stores it into registers using the Suricata service. - Centralized logging platform consisting of Filebeat, Elasticsearch and Kibana.

Data Flow

The monitoring process follows several stages:

Traffic Analysis: Network traffic is mirrored towards the logwatch. Suricata analyzes packets in real time.
Event Generation: Suricata generates structured EVE JSON logs describing network events.
Log Shipping: Filebeat monitors these log files and forwards them to the storage backend.
Indexing: Elasticsearch stores and indexes events, making them searchable.
Visualization: Kibana provides dashboards and search interfaces for analysts.

Web Interfaces

Some services expose web interfaces accessible from the host system.

Service	Access
Kibana	`http://<ip_address>:5601`
Elasticsearch	`http://<ip_address>:9200`

It's recommended to use a web explorer to access both sites, using the IP address generated by Containerlab on setup.

Architecture Overview

The monitoring stack deployed in the logwatch node consists of four major components:

Suricata: Network packet inspection.
Elasticsearch: Log storage and indexing.
Kibana: Visualization and data exploration.
Filebeat: Log forwarding and parsing.