Im having index named "logs". Im getting all databses and application and server logs in the same index. How can i create different roles so that one can monitor only database and one can monitor only application?
Ideally you should put these into their own indices, this is a data hygiene thing as much as a security one.
Are you ingesting these with Logstash? Are you defining a specific _type or applying a tag?
Im using packetbeat for the logs from database and server logs. so im getting alll logs in same index.
If you have fields in your data that can be used to determine who should be able to see what data, you can create filtered aliases on top of the index and secure these.