I am testing out how auditbeats work and upon logging into the box that auditbeat is enabled I get 5 authentication_success messages. All 5 of the logs are exactly the same, the only value that is not the same is the _id field.
after digging in for awhile I found out that it came down to logstash pulling data from kafka.
I have 5 different configs auditbeat.conf, filebeat.conf, heartbeat.conf, metricbeat.conf and packetbeat.conf all with different topics to pull from. The problem is it is not only pulling from that topic, it is pulling from all topics that i have in those config files.
All of the files look almost identical to this except for the "topics" part
input {
kafka {
bootstrap_servers => "kafkaBootstrapServer:6667"
topics => ["auditbeat"]
codec => json
}
}
output{
elasticsearch {
hosts => ["LOTS OF HOSTS"]
user => "myUser"
password => "myPass"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
Am i not able to have multiple config files with different topics? I wanted to separate them.