Hello,
new to the whole ELK scene.. I had my environment stood up with multiple nodes and when I installed filebeat it installed the filebeat-* index pattern with a lot of fields that it used for various visualizations and dashboards.
I have my logstash setup so that its taking in syslogs from remote servers and it is reporting it into ES and I can see it in kibana but now I am trying to create some meaningful visualizations and dashboards and noticed that the filebeat-* index pattern has so many more fields than my logstash-* index pattern. I am mainly just starting so I wanted to concentrate on ssh login/failed login/sudo and create dashboard/visualization like the ones that filebeat provided.
I looked on the discussion and google but and the only thing I found close to what I am looking for was https://www.elastic.co/blog/grokking-the-linux-authorization-logs however it does not tie things into logstash/kibana much or how to get there...
any help on my next steps?
I am on 6.4