Send Auditbeat output to 2 seperate elasticsearch clusters

Hello, we currently have Auditbeats installed on multiple servers in our environment feeding an Elasticsearch cluster that does not have TLS enabled. My question is, is it possible to output Auditbeats to a separate cluster that does have TLS enabled? So, the Auditbeat on each server would be sending the output to two separate clusters, one configured with TLS and one not configured with TLS. Thanks!

Hey @stenbot, welcome to discuss :slight_smile:

It is not possible to configure multiple outputs in a single beat, one option that uses to do the trick for other beats like filebeat is to start multiple instances, using the same configuration but with different outputs and data directories.

I am not sure if this will work with the auditd module of Auditbeat. Multiple processes auditing a system at the same time may interefer one with each other. But you could give it a try.

If having two instances of Auditbeat doesn't work for you, there are a couple of options you could explore:

  • Output to a logstash instance that writes to both Elasticsearch clusters.
  • Output to a redis or kafka queue, and have consumers that write to each one of the clusters.

Both of these options have their pros and cons, but in both cases you would require additional infrastructure.

@jsoriano Thanks for the reply. I will definitely give Logstash a try.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.