All my auth.log entries show up as grok errors:
Provided Grok expressions do not match field value: [{"@timestamp":"2022-10-13T13:59:21.176Z","@metadata":{"beat":"filebeat","type":"_doc","version":"8.4.3","pipeline":"filebeat-8.4.3-system-auth-pipeline"},"message":"Oct 13 13:59:16 kafka su: pam_unix(su:session): session closed for user docker_user","event":{"dataset":"system.auth","module":"system","timezone":"+00:00"},"service":{"type":"system"},"host":{"name":"kafka"},"agent":{"name":"kafka","type":"filebeat","version":"8.4.3","ephemeral_id":"60260a29-b38d-4247-962d-a1c77c064562","id":"73d67524-1926-46db-9a52-055a4818ad4f"},"log":{"offset":47170,"file":{"path":"/var/log/auth.log"}},"input":{"type":"log"},"fileset":{"name":"auth"},"ecs":{"version":"8.0.0"}}]
The complete stack is 8.4.3; how could I best troubleshoot this issue?