Create new roles for Packetbeat and Auditbeat
- https://www.elastic.co/guide/en/beats/packetbeat/7.2/setting-up-and-running.html
- https://www.elastic.co/guide/en/beats/auditbeat/7.2/setting-up-and-running.html
Then install all those beats on all hosts and let them report into Elasticsearch directly. The firewall needs to be configured for that too then.