Filebeat+auditd module not parsed through logstash

pereyrdi · September 18, 2020, 3:42pm

Hello!
Im using filebeat with audit module enable to monitoring the audit.log, I have try configure as output directy to elasticsearch and the message field was parsed with all audit's fields correctly.
But when I configure the logstash output and then back to elastic, the message is not parsed.

this is the output in logstash conf:

output {
    elasticsearch {
        hosts => ["http://localhost:9200"]
        user => "elastic"
        password => "${elastic}"
        index => "filebeat" 
    } 
}

and this is the output in filebeat conf:

output.logstash:
  ssl.enabled: true
  hosts: ["localhost:7514"]

what could it be ? I missing something in logstash ?
Thanks

system · October 16, 2020, 5:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat module - auditd Beats filebeat	3	1015	July 19, 2018
Problems with Filebeat's auditd module Beats filebeat	2	553	June 19, 2020
Filebeat's module using Logstash Beats filebeat	6	3703	November 30, 2017
Can't recieve filebeat logs via Logstash Logstash	16	2948	May 31, 2019
Filebeat doesn't send logs to logstash in client server architecture Beats filebeat	11	7220	July 5, 2017

Filebeat+auditd module not parsed through logstash

Related Topics