Hi, someone know how to load audit.log of linux in Logstash ?

I try use this but not work:
input {
file {
path => ["/var/log/audit/audit.log"]
type => "auditd"
start_position => beginning
filter {

elasticsearch {
action => "index"
user => "elastic"
password => "system"
hosts => [""]
document_type => "auditd-%{type}-%{+YYYY.MM.dd}"
index => "auditd"

I need something to transform = in : and load

Please show an example of what you want to parse. I don't have a /var/log/audit/audit.log on my Debian system.

What version of Logstash are you using?
What is the last modified date of that file?

type=SERVICE_STOP msg=audit(1478259961.432:18703): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@360 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

I am using version 5

A kv filter should get you far. You might actually need two kv filters since the msg value contains another string of key=value pairs.