I apologize in advance, I'm new to auditbeat and could use some help.
Basically, I'm trying to get just system logs from machines I'm monitoring. I previously had this working by just putting cloud.id and cloud.auth into the default auditbeat.yml. But now, I'm trying to replace cloud.auth with an api-key. So, I removed the cloud.auth line, and went to this link:
and generated an api key for monitoring. So, I put the api key into auditbeat.yml in the output.elasticsearch section, and in monitoring.elasticsearch. First it gave me an error that it said
"Overwriting ILM policy is disabled. Set
setup.ilm.overwrite: true for enabling.", "stdout_lines": ["Overwriting ILM policy is disabled. Set
setup.ilm.overwrite: true for enabling."
So , set setup.ilm.overwrite to true, but now it's giving me 403 errors, saying that the user:
is unauthorized for API key id  of user "},"status":403
Any help and advice of what I'm doing wrong would be great.