I'm very new in ELK and read a lot about.
I like this very much and will go deeper and deeper for better understanding.
Now I've build a lab and test ELK for log management.
In our company we have a lot of dedicated customers.
My use case to test is that I want save the windows eventlogs for security to have a central place, auditing and archiving this logs.
OK I know that the following example I used the wrong beat, but I need this for understanding only.
At this time my index names created from filebeat-plugin are filebeat-2018-07-10, filebeat-2018-07-12... how I accomplish that the index has the name of the customer like filebeat-customer1-2018-07-10, or filebeat-windows-customer-2018-07-10...
Or I'm wrong with that concept for later delete process to delete all data of an customer... If I'm wrong it would great that you explain me how to accomplish this scenario.
I tested the tags and additional fields (with customer name for that) but I read that curator delete by index name and not inside of an index by tags or field-values.
The other question ist how to archive the logs.
My idea is that I config that I have 90days for research and after that time the logs will be archived (2years retention time) for a later research if it's needed.
Sorry for the newbie questions but I stuck right now for that and concept and understanding is everything before starting in production