Hi , I'm trying to set grok for auditbeat pipeline but getting grokparsefailure
maybe someone has a sample audit grok configuration ?
thanks in advance.
You are trying to ingest the log output from Auditbeat? I suggest configuring the Beat to output JSON logs. That should make it easier to parse.
https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-logging.html#_logging_json
logging.json: true