Suricata was installed normally, and it is actually running on 1g network.
However, since there is no SIEM yet, logs are being loaded into Elasticsearch.
I tried to use Elasticsearch for the first time, but there are so many limitations in creating a correlation with Elasticsearch, so I judge that I need to use another one (only some specific rules can be triggered. IP-based correlation is not possible.)
im currently looking at datadog, sumo logic, LogRhythm, etc. If you use it, can you tell how you are creating the correlation rules?