Hi all. I just wanted to confirm my thinking with what I'm trying to achieve.
We currently have an version 7.6.2 ES stack running on kubernetes in Azure AKS.
The ES audit logs are currently being sent to stdout (so available as pod logs).
I was thinking I could create a filebeat pod to collect those logs, but it seems the wrong way to go about it? I was taking this route because we already have metricbeat setup in this fashion to collect system stats.
Am I right in thinking we should have the audit logs written to disk in the pods, and then install filebeat in each ES pod to hoover them up?
Thanks in advance.