Worked through the RedELK install over the last week which is set to collect logs out of /root/cobaltstrike/logs. I made 1 edit to the teamserver filebeat config to collect logs from /opt/cobaltstrike/logs and it broke the install. I figured there was something happening in the logstash processing, but couldn't find anything on it. Could only get it working again by moving the logs to /root/cobaltstrike.logs. Anyone have any idea why?
Discussion + logs + relevant config files here: