I'm trying to configure winlogbeat to create 2 index, one for each user.
I Know I can configure this using this command:
- index: "new-index-user1"
- index: "new-index-user2"
but as I have winlogbeat 7.3, in documentation say: The
index setting is ignored when index lifecycle management is enabled.
Starting with version 7.0, Winlogbeat uses index lifecycle management by default when it connects to a cluster that supports lifecycle management. Winlogbeat loads the default policy automatically and applies it to any indices created by Winlogbeat.
then I have configured next command:
but I don't know how to create two index, one for events created by user1 and the other one for events created by user2.
please could someone help me?? I'm stuck in this point, thank you very much.