Hi Warkolm,
I have enabled the audit module in the filebeat and able to see the harvester for the audit.log when I restart the filebeat.
Now the logs are not shipped into logstash and end with the below error. Please help.
{"source":"/var/log/audit/audit.log","prospector":{"type":"log"},"beat":{"version":"6.2.2","name":"test.example.com","hostname":"test.example.com"},"message":"type=EXECVE msg=audit(1550767742.671:15104841): argc=3 a0="sed" a1="-e" a2="s|:|\\:|"","offset":7677297,"host":"test.example.com","@timestamp":"2019-02-21T16:49:09.398Z","@version":"1","fileset":{"module":"auditd","name":"log"},"tags":["beats_input_codec_plain_applied","_grokparsefailure"]
Once this issue completed , I will check with index fields.
Regards
Nandha