GitLab tracking User-Authetications

we are using FlieBeat to get teh GitLab-LogFiles.
In this Logs the User-Action is given.

Do you have any idea how we can handle it in a right way?

What we need is only the state of Userlogins (acepted or denied).

Thanks for a response

Hi @nkellner,

I understood that you want to process a GitLab log file with Filebeat. But could you elaborate a bit on what you are hoping to achieve?

Hi,
thanks for your replay. I´ll try my very best.
We only need to the "Login" and "Logout" (Authentications) to GitLab. In the Logfile yopu can see an message with "POST" -> Example message:
{"method":"POST","path":"/users/auth/ldapmain/callback","format":"html","controller":"OmniauthCallbacksController","action":"failure","status":302,"location":"https://...../users/sign_in","time":"2020-05-11T12:24:32.893Z","params":[{"key":"utf8","value":"✓"},{"key":"authenticity_token","value":"[FILTERED]"},{"key":"username","value":""},{"key":"password","value":"

This tell me the Login wasn´t ok.

Can I filter the GitLab-Log in FileSearch for this Information befor I send the Log to ElasticSearch?

For me is the intrest to get the "success" and "failed" Logins.

Sorry, I can exlain it better for the moment, my be I can help you for better understanding.

Ah, so you want to filter out all messages except for those with specific "action" values?

Did you already configure filebeat to parse the JSON messages? If so you could add a drop event processor at the end of the filebeat processor list with a condition such as

 - drop_event:
     when:
        not:
          or:
            - equals:
                action: "failure"
            - equals:
                action: "success"

Thank yor for your replay.
It look like I´m searching for - My first Test works fine.
Great Stuff