This is just the auth collector configuration you can add multiple log files into one collector - if you need more help with setting up filebeats, start a new thread… 
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
filebeat.inputs:
- type: filestream
id: id-linux-auth
enabled: true
paths:
- /var/log/auth.log
tags:
- linux
logging.metrics.enabled: false
fields:
os_ver: ubuntu
output.logstash:
hosts:
- ${user.LinuxIn}
path:
data: /var/cache/graylog-sidecar/filebeat/data
logs: /var/log/graylog-sidecar