Hello!
Im using filebeat with audit module enable to monitoring the audit.log, I have try configure as output directy to elasticsearch and the message field was parsed with all audit's fields correctly.
But when I configure the logstash output and then back to elastic, the message is not parsed.
this is the output in logstash conf:
output {
elasticsearch {
hosts => ["http://localhost:9200"]
user => "elastic"
password => "${elastic}"
index => "filebeat"
}
}
and this is the output in filebeat conf:
output.logstash:
ssl.enabled: true
hosts: ["localhost:7514"]
what could it be ? I missing something in logstash ?
Thanks