Packetbeat index template clone


I would like to run packetbeat in 2 machines, and I would like to create 2 users, where the user 1 can see only logs of the first machine and user 2 can see only the logs of 2nd machine.

To do so, I began by cloning the packetbeat-7.13.2 template, and named it packetbeat-7.13.2-test

Then I have configured my 1st packetbeat to use the default packetbeat template and the 2nd one to use the packetbeat-7.13.2-test template:

output.elasticsearch.index: "packetbeat-test-%{[agent.version]}-%{+yyyy.MM.dd}" "packetbeat-7.13.2-test"
setup.template.pattern: "packetbeat-7.13.2-test-*"
setup.ilm.enabled: false

and then run setup command :

packetbeat setup -e

This makes me get warning in the Discover Tab in some fields:

This field is defined as several types (string, integer, etc) across the indices that match this pattern. You may still be able to use this conflicting field, but it will be unaivailable for functions that require Kibana to know their type. Correcting this issue will require reindexing your data

This warning resulting the fail of multuple dashboards

So my questions are :

1- Is what I am doing the best way to disable user 2 to access logs of user 1 ? or there is another simple way.
2- What I am doing wrong to get those warninig and how can I resolve that without reindixing (as it's a test I can delete the index and recreate it)
3- If it's the best way to achieve what I want to do, How can I manage my indices as the ILM should be disabled ?

Thanks for your answer
Best regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.