Filebeat+auditd module not parsed through logstash

pereyrdi · September 18, 2020, 3:42pm

Hello!
Im using filebeat with audit module enable to monitoring the audit.log, I have try configure as output directy to elasticsearch and the message field was parsed with all audit's fields correctly.
But when I configure the logstash output and then back to elastic, the message is not parsed.

this is the output in logstash conf:

output {
    elasticsearch {
        hosts => ["http://localhost:9200"]
        user => "elastic"
        password => "${elastic}"
        index => "filebeat" 
    } 
}

and this is the output in filebeat conf:

output.logstash:
  ssl.enabled: true
  hosts: ["localhost:7514"]

what could it be ? I missing something in logstash ?
Thanks

system · October 16, 2020, 5:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat module - auditd Beats filebeat	3	1018	July 19, 2018
Problems with Filebeat's auditd module Beats filebeat	2	557	June 19, 2020
Filebeat's module using Logstash Beats filebeat	6	3703	November 30, 2017
Can't recieve filebeat logs via Logstash Logstash	16	2950	May 31, 2019
Logstash config for using filebeat auditd module Logstash	2	1975	June 26, 2017

Filebeat+auditd module not parsed through logstash

Related topics