The solution wasn't obvious. I had already done the auditbeat setup thing. So i made the output of Auditbeat straight to ES.
And then i noticed the error resource .... exists, but it is not an alias so i solved in on that thread.
So the problem was that i deleted the auditbeat-7.13.2 index and i created another one via logstash when i had the output like this:
output {
elasticsearch {
hosts => ["https://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
user => logstash_user
password => apass
ssl => true
cacert => "/usr/share/logstash/config/elasticsearch-ca.pem"
http_compression => true
sniffing => false
}
}
So i get HOW this happened but even after i read that thread on github, i don't fully understand WHY is that behavior happening. I mean i just Deleted the index and logstash created automatically...
Can someone explain it ?