Hi, someone know how to load audit.log of linux in Logstash ?
I try use this but not work:
input {
file {
path => ["/var/log/audit/audit.log"]
type => "auditd"
start_position => beginning
}
}
filter {
}
output
{
elasticsearch {
action => "index"
user => "elastic"
password => "system"
hosts => ["127.0.0.1"]
document_type => "auditd-%{type}-%{+YYYY.MM.dd}"
index => "auditd"
}
}
I need something to transform = in : and load
Please show an example of what you want to parse. I don't have a /var/log/audit/audit.log on my Debian system.
What version of Logstash are you using?
What is the last modified date of that file?
type=SERVICE_STOP msg=audit(1478259961.432:18703): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=user@360 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
I am using version 5
A kv filter should get you far. You might actually need two kv filters since the msg value contains another string of key=value pairs.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.