Hi @Albert_Zaharovits, we've upgraded to 6.5.3, enabled to logfile output and are ingesting it with filebeat.
This is what filebeat produces so we'll need to use an ingestion pipeline with a json processor to extract the message and add it to the root of the document.
{
"_index": "auditlog-2018.12.18",
"_type": "doc",
"_id": "IxIRwmcB_DAbTiSg2aMw",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2018-12-18T16:06:47.880Z",
"host": {
"name": "Elastic01"
},
"source": "D:\\logs\\elasticsearch\\MachX-Test_audit.log",
"offset": 104236160,
"message": "{\"@timestamp\":\"2018-12-18T17:06:46,574\", \"node.name\":\"elastic01.schultzdev.local\", \"node.id\":\"VlN-m2IVR2-GsIkcGtY_pQ\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"user.name\":\"mam@schultz.dk\", \"user.realm\":\"schultzms\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\", \"origin.address\":\"10.32.219.52:55485\", \"action\":\"cluster:admin/xpack/security/user/authenticate\", \"request.name\":\"AuthenticateRequest\"}",
"input": {
"type": "log"
},
"prospector": {
"type": "log"
},
"beat": {
"hostname": "Elastic01",
"version": "6.4.0",
"name": "Elastic01"
}
},
"fields": {
"@timestamp": [
"2018-12-18T16:06:47.880Z"
]
},
"sort": [
1545149207880
]
}
While doing early work with the ingestion pipeline:
PUT _ingest/pipeline/audit-log-ingestion-pipeline
{
"description": "Audit Log Ingestion Pipeline Q4 2018",
"processors": [
{
"json" : {
"field" : "message",
"target_field" : "msg"
}
}
],
"on_failure": [
{
"set": {
"field": "_index",
"value": "audit-log-ingestion-pipeline-errors"
}
},
{
"set": {
"field": "error",
"value": "{{ _ingest.on_failure_message }}"
}
}
]
}
I've attempted to use the simulate
api:
POST _ingest/pipeline/audit-log-ingestion-pipeline/_simulate
{
"docs": [
{
"_index": "auditlog-2018.12.18",
"_type": "doc",
"_id": "IxIRwmcB_DAbTiSg2aMw",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2018-12-18T16:06:47.880Z",
"host": {
"name": "Elastic01"
},
"source": "D:\\logs\\elasticsearch\\MachX-Test_audit.log",
"offset": 104236160,
"message": "{\"@timestamp\":\"2018-12-18T17:06:46,574\", \"node.name\":\"elastic01.schultzdev.local\", \"node.id\":\"VlN-m2IVR2-GsIkcGtY_pQ\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"user.name\":\"mam@schultz.dk\", \"user.realm\":\"schultzms\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\", \"origin.address\":\"10.32.219.52:55485\", \"action\":\"cluster:admin/xpack/security/user/authenticate\", \"request.name\":\"AuthenticateRequest\"}",
"input": {
"type": "log"
},
"prospector": {
"type": "log"
},
"beat": {
"hostname": "Elastic01",
"version": "6.4.0",
"name": "Elastic01"
}
},
"fields": {
"@timestamp": [
"2018-12-18T16:06:47.880Z"
]
},
"sort": [
1545149207880
]
}]
}
And go an interesting error message in return:
{
"error": {
"root_cause": [
{
"type": "class_cast_exception",
"reason": "java.lang.Integer cannot be cast to java.lang.Long"
}
],
"type": "class_cast_exception",
"reason": "java.lang.Integer cannot be cast to java.lang.Long"
},
"status": 500
}
Tried it with message equal to the equivalent of :
{ "x": "y" }
And got the same error.
Can you advise what is wrong here?