Hello. Completely new to Elastic as well as this form. Initially working with auditbeat. Using 7.4. I am planning to send all of the captured audit information directly to Logstash first.
Since I’ll use Logstash to perform additional processing on the data collected by Auditbeat, I will not need to send any data directly to Elasticsearch, so I disabled that output
(output.elasticsearch) in the auditbeat config file (auditbeat.yml) by commenting it all out. At the same time, I configured the
output.logstash section by uncommenting the lines
output.logstash. I was assuming both should never coexist.
As I read the documentation in elastic.co related to "Loading the Elastic Template into Elasticsearch," I read, " By default, Auditbeat automatically loads the recommended template file,
fields.yml , if the Elasticsearch output is enabled. If you want to use the default index template, no additional configuration is required. Otherwise, you can change the defaults in the auditbeat.yml config file..."
So I have enabled the Logstash output while disabling the elasticsearch output, so I am no longer going the 'default' route in terms of the index template which utilizes fields.yml. This is where my question (or two) come(s) in.
1.) Can I still use the same fields.yml template file even though I enabled Logstash output/disabled elasticsearch output?
2.) Regardless of the answer to #1, HOW do I load this index template into Elasticsearch when enabling Logstash output? Do I have to put any new/change any existing lines in the auditbeat.yml file like...
any other dictionary field/value pair settings???
- OR -
Do nothing more and Elastic will still use the same fields.yml file/location that it would use if I only had just enabled output.elasticsearch (the default) instead?
Sorry this is so long, but just trying to be thorough.