i'm using filebeat's suricata and zeek modules, everything works great as long as i dont mess with the index names..
my issue is i have multiple sources sending in data from multiple locations..
right now everything is feeding into filebeat-7.1.1 (alias) then its creating indexes that roll over.. (i think thats how it is working)
i'd like to be able to have the names filebeat-7.1.1-building1, filebeat-7.1.1-building2
when i modify the index name in any way via logstash, everything goes to hell.. the processing/piplelines done seem to work..
-- suricata logs stop saying suricata and just say "json"
-- dashboards stop being linked to data
any suggestions.. i've googled all i know to google.. and i'd searched this discussion board every way i know how.
thank you