When I fixed a different issue, I noticed a bunch of lines show up in the Elastic Agent's Filebeat logs saying it was just dropping them instead of sending them to Elasticsearch.
As far as I can tell every line in the auditd log was dropped due to this message: "Failed to parse value [yes] as only [true] or [false] are allowed."
The message field had success=yes
in it, so I'm guessing that is the field causing issues.
Is there a way to tell Filebeat to not drop these log messages? It's valid for Auditd, so it should be valid for Filebeat...
This is on Oracle Linux 7.9 and Elastic Agent 8.2.3.
Thanks in advance!