diff --git a/roles/filebeat/defaults/main.yaml b/roles/filebeat/defaults/main.yaml
index 822aed8..986bc34 100644
--- a/roles/filebeat/defaults/main.yaml
+++ b/roles/filebeat/defaults/main.yaml
@@ -1,4 +1,4 @@
 ---
 
 filebeat_image_name: "docker.elastic.co/beats/filebeat"
-filebeat_image_version: "7.12.0"
+filebeat_image_version: "7.16.3"
diff --git a/roles/logstash/defaults/main.yaml b/roles/logstash/defaults/main.yaml
index 105a4b9..9b1a218 100644
--- a/roles/logstash/defaults/main.yaml
+++ b/roles/logstash/defaults/main.yaml
@@ -1,4 +1,4 @@
 ---
 
 logstash_image_name: "docker.elastic.co/logstash/logstash"
-logstash_image_version: "7.16.1"
+logstash_image_version: "7.16.3"
diff --git a/templates/filebeat/config/filebeat.yml.j2 b/templates/filebeat/config/filebeat.yml.j2
index 50e8bf9..338cc5a 100644
--- a/templates/filebeat/config/filebeat.yml.j2
+++ b/templates/filebeat/config/filebeat.yml.j2
@@ -1,3 +1,12 @@
+# https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
+
+filebeat.modules:
+- module: system
+  syslog:
+    enabled: true
+  auth:
+    enabled: true
+
 filebeat.inputs:
 - type: container
   paths:
@@ -19,6 +28,10 @@ filebeat.autodiscover:
               multiline.negate: true
               multiline.match: after
 
+fields:
+  stage: {{ stage }}
+  hostname: {{ inventory_hostname }}
+
 output.logstash:
   hosts: ["{{ shared_service_elastic_stack_logstash_01_hostname }}:5044"]
   ssl:
diff --git a/templates/logstash/config/logstash/pipeline/filebeat.conf.j2 b/templates/logstash/config/logstash/pipeline/filebeat.conf.j2
index 1bc19e2..22aa788 100644
--- a/templates/logstash/config/logstash/pipeline/filebeat.conf.j2
+++ b/templates/logstash/config/logstash/pipeline/filebeat.conf.j2
@@ -31,14 +31,14 @@ filter {
 }
 
 output {
-    if "audit" in [tags] {
+    if [fields][hostname] and [event][dataset] == "system.auth" {
         elasticsearch {
             hosts => ["https://{{ shared_service_elastic_stack_01_hostname }}:{{ service_port_elasticsearch }}"]
             cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
             user => "{{ elastic_admin_username }}"
             password => "{{ elastic_admin_password }}"
 
-            index => "auditlog-%{+YYYY.MM}"
+            index => "%{[fields][hostname]}-authlog-%{+YYYY.MM}"
 
             manage_template => false
        }
@@ -50,10 +50,22 @@ output {
             user => "{{ elastic_admin_username }}"
             password => "{{ elastic_admin_password }}"
 
-            index => "authlog-%{+YYYY.MM}"
+            index => "uncategorized-authlog-%{+YYYY.MM}"
 
             manage_template => false
-        }
+       }
+    }
+    else if [fields][hostname] and [event][dataset] == "system.syslog" {
+        elasticsearch {
+            hosts => ["https://{{ shared_service_elastic_stack_01_hostname }}:{{ service_port_elasticsearch }}"]
+            cacert => "/usr/share/logstash/config/certificates/ca/ca.crt"
+            user => "{{ elastic_admin_username }}"
+            password => "{{ elastic_admin_password }}"
+
+            index => "%{[fields][hostname]}-syslog-%{+YYYY.MM}"
+
+            manage_template => false
+       }
     }
     else if [event][dataset] == "system.syslog" {
         elasticsearch {
@@ -62,10 +74,10 @@ output {
             user => "{{ elastic_admin_username }}"
             password => "{{ elastic_admin_password }}"
 
-            index => "syslog-%{+YYYY.MM}"
+            index => "uncategorized-syslog-%{+YYYY.MM}"
 
             manage_template => false
-        }
+       }
     }
     else if [container][name] and [@metadata][beat] {
         elasticsearch {