As you can see in the picture above, there are 5 types, relatively speaking, subscriptions by which the system can be used. For details on what is written below, you can find out at special Elastic page… Everything written in this article applies to Elastic Stack hosted on its own infrastructure (on-premise).
Open Source. This is the Elastic Stack version, which is freely available at Elastic repositories on Github… Basically, you can take it and make the killer of Arcsight, QRadar, Splunk and other direct competitors of Elastic. You don’t have to pay anything for this.
Basic… This type of license includes the capabilities of the previous license, but is supplemented by functionality that is not open source, but, nevertheless, is available free of charge. These are, for example, SIEM, access to the role model, some types of visualizations in Kibana, Index Lifecycle Management, some built-in integrations and other capabilities.
This concludes the free licenses and it’s time to deal with paid licenses. The Elastic Stack is licensed per Elasticsearch node. There may be at least a million Kibana and Logstash (or Fluentd, if you like) nearby, but licenses will be counted precisely by the hosts on which Elasticsearch is deployed. The calculation of licenses also does not include nodes with Ingest, Client / Coordinating roles. The number of nodes included in the calculation is directly influenced by the volume of incoming traffic and data storage requirements. Recall that to ensure the reliability of the cluster, it must have at least 3 nodes. We calculate the sizing based on the method described in one of the previous articles. When purchasing Elasticsearch licenses, only the subscription format is available with a duration of 1 year or more in 1 year increments (2, 3, and so on). Now let’s go back to license types.
Gold… The Elasticsearch Gold license adds support for authorization via LDAP / AD, extended logging for internal audit, expanded alert capabilities and vendor technical support during business hours. The Gold subscription is very similar to AWS OpenDistro.
Platinum… The most popular type of subscription. in addition to Gold-level capabilities, there is machine learning built into Elastic, cross-cluster replication, ODBC / JDBC client support, granular access control to the document level, vendor support 24/7/365 and some other features. They can also release Emergency patches as part of this subscription.
Enterprise… Highest subscription level. In addition to all Platinum-level features, this includes the Elastic Cloud Enterprise orchestrator, Elastic Cloud on Kubernetes, Endgame endpoint security solution (with all its capabilities), vendor support for an unlimited number of Elastic-based projects, and other features. Typically used in large to very large installations.
Elastic has already had a lot of forks, the most famous of which is – OpenDistro by AWS… Its key benefit is support for some of the original Elastic features available on paid subscriptions. The main ones are integration with LDAP / AD (as well as SAML, Kerberos and others), built-in alert (on free Elastic, this is implemented through Elast Alert), logging of user actions and support for JDBC drivers.
We also mention HELK and Logz.io… The first is a project on Github, which gives Elasticsearch additional software for threat analytics (they write that while this is all in alpha), and the second is a cloud service based on Elastic and adding some nice features. In the comments, you can share other forks that you know about.
You can also read:
Understanding Machine Learning in Elastic Stack (aka Elasticsearch, aka ELK)
Elastic under the lock: enabling security options for the Elasticsearch cluster for access from inside and outside
What useful things can be extracted from the logs of a Windows workstation