Hi there, we are using filebeat to automatically pick up the /var/log/syslog and /var/log/auth.log on our Ubuntu servers and it is working great to populate the authlog dashboard in Kibana.
We are starting to develop more and more applications in containers, and are standardising logging via syslog so that filebeats can pick up the logs via the Docker or Kubenetes APIs.
The question is, how does filebeat know what an "auth.log" event in syslog looks like? For example if we are writing all logs to syslog in our applications, how can we extract the specific access or permission-type information from the aggregated syslog stream to populate the kibana authlog dashboard?