Filebeat+auditd module not parsed through logstash

Hello!
Im using filebeat with audit module enable to monitoring the audit.log, I have try configure as output directy to elasticsearch and the message field was parsed with all audit's fields correctly.
But when I configure the logstash output and then back to elastic, the message is not parsed.

this is the output in logstash conf:

output {
    elasticsearch {
        hosts => ["http://localhost:9200"]
        user => "elastic"
        password => "${elastic}"
        index => "filebeat" 
    } 
}

and this is the output in filebeat conf:

output.logstash:
  ssl.enabled: true
  hosts: ["localhost:7514"]

what could it be ? I missing something in logstash ?
Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.