So I've just recently upgraded to 7.0 from 6.7 and had to take out:
xpack.security.audit.outputs: [index, log]
from the elasticsearch.yml config file due to deprecation in 7.0?
As I understand now security audit event are now logged to a json log file. Whats the proper way to index this? Filebeat? Logstash? I don't understand why they took this feature away.. Broke all my security audit visualizations/dashboards