GROK pattern help for Audit Log

ataylor · September 25, 2023, 12:59pm

I am struggling to find an appropriate GROK pattern to appropriately dissect my log that is being generated by the xpack Audit.

My Logs currently look like

{"type":"audit", "timestamp":"2023-09-07T14:34:58,359+0100", "node.id":"MFOk8jclQlW3-fVz7xHghQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"kibana_system", "user.realm":"reserved", "user.roles":["kibana_system"], "origin.type":"transport", "origin.address":"xx.xx.xx.xxx:xxxxx", "request.id":"5f7V2f5HQWeMIdi3B1qcZQ", "action":"cluster:monitor/nodes/info[n]", "request.name":"NodeInfoRequest"}

I am quite surprised that there doesn't appear to be a pre-written filter for this, given that it is the log generated by elastic.

Can anyone provide any advice

leandrojmp · September 25, 2023, 1:41pm

Hello,

This log is a json document, you should use the json filter, not grok.

There is, but you need to use filebeat or elastic agent, check this blog post.

If you still want to use Logstash you will probably need an ingests pipeline on Elasticsearch side to use the dot_expander processor.

ataylor · September 25, 2023, 2:48pm

Thanks for the reply!

I will look into it

system · October 23, 2023, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I create a grok match pattern for a log? Logstash	1	450	September 9, 2017
Help me writing grook filter pattern for my log to injest into elasticsearch Logstash	5	591	April 4, 2021
Logstash filter with grok Elasticsearch	2	305	April 29, 2021
Shield Audit Logstash Pattern? Logstash	1	466	July 6, 2017
"_grokparsefailure" even though the grok pattern matches Logstash	9	4361	September 11, 2017

GROK pattern help for Audit Log

Related topics