5 logs for every audit event

I am testing out how auditbeats work and upon logging into the box that auditbeat is enabled I get 5 authentication_success messages. All 5 of the logs are exactly the same, the only value that is not the same is the _id field.

after digging in for awhile I found out that it came down to logstash pulling data from kafka.

I have 5 different configs auditbeat.conf, filebeat.conf, heartbeat.conf, metricbeat.conf and packetbeat.conf all with different topics to pull from. The problem is it is not only pulling from that topic, it is pulling from all topics that i have in those config files.

All of the files look almost identical to this except for the "topics" part

input {
  kafka {
    bootstrap_servers => "kafkaBootstrapServer:6667"
    topics => ["auditbeat"]
    codec => json
  }
}

output{
  elasticsearch {
    hosts => ["LOTS OF HOSTS"]
    user => "myUser"
    password => "myPass"
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

Am i not able to have multiple config files with different topics? I wanted to separate them.

Take a look at this thread.

Very interesting, Thanks for this!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.