Hello,
So in my company we want to make one SIEM for our clients, and we want to make them all in one cluster as they are small comapnies and don't generate a lot of logs / day.
I would like to know if there is a possibility to do that and separate the logs and create a user for each company where a user from one company can not access the logs of the other company ?
Best regards
Heya @TheHunter1, we covered a very similar question in the thread linked below. Please check it out, and let us know what you think.
Thanks for your answer @Mike_Paquette,
In my dev cluster i am trying to follow the example discussed in the link.
I tried with auditbeat and configured it like that :
output.elasticsearch:
....
....
index: "%{[@metadata][beat]}-%{[@metadata][version]} -%{+YYYY.MM.dd}-Company1"
setup.template.name: "auditbeat"
setup.template.pattern: "auditbeat-*"
But It didn't change the index name and still loggin in the same index as the other agents !! Should I disable ILM to be able to do that ? and if yes, how can I manage my indices without it ?
Best regards.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.