Elastic Entreprise SIEM question


So in my company we want to make one SIEM for our clients, and we want to make them all in one cluster as they are small comapnies and don't generate a lot of logs / day.
I would like to know if there is a possibility to do that and separate the logs and create a user for each company where a user from one company can not access the logs of the other company ?

Best regards

Heya @TheHunter1, we covered a very similar question in the thread linked below. Please check it out, and let us know what you think.


Thanks for your answer @Mike_Paquette,

In my dev cluster i am trying to follow the example discussed in the link.
I tried with auditbeat and configured it like that :

  index: "%{[@metadata][beat]}-%{[@metadata][version]} -%{+YYYY.MM.dd}-Company1"
setup.template.name: "auditbeat"
setup.template.pattern: "auditbeat-*"

But It didn't change the index name and still loggin in the same index as the other agents !! Should I disable ILM to be able to do that ? and if yes, how can I manage my indices without it ?

Best regards.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.