What is the best or recommended way to collect "auth" data within Beats, directly send it to elasticsearch or via logstash?
For now beats are configured to use "output.logstash" and module "system" is enabled.
So I can find the "authentication failure" with non-parsed message at kibana's "Discover":
whether or not use Logstash depends mostly on your use case. if you want to do some advanced parsing or transformation I recommend using Logstash.
If these transformations are simple enough for beat to handle it you can output to ES directly
Okay, Kibana's default Visualize uses "event.action" to count ssh login attempts but in my case it should be "system.auth.ssh.event".
For some reason I can not modify the default Visualize templates.
Suppose it's okay to close this topic.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.