GROK pattern help for Audit Log

I am struggling to find an appropriate GROK pattern to appropriately dissect my log that is being generated by the xpack Audit.

My Logs currently look like

{"type":"audit", "timestamp":"2023-09-07T14:34:58,359+0100", "":"MFOk8jclQlW3-fVz7xHghQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "":"kibana_system", "user.realm":"reserved", "user.roles":["kibana_system"], "origin.type":"transport", "origin.address":"", "":"5f7V2f5HQWeMIdi3B1qcZQ", "action":"cluster:monitor/nodes/info[n]", "":"NodeInfoRequest"}

I am quite surprised that there doesn't appear to be a pre-written filter for this, given that it is the log generated by elastic.

Can anyone provide any advice


This log is a json document, you should use the json filter, not grok.

There is, but you need to use filebeat or elastic agent, check this blog post.

If you still want to use Logstash you will probably need an ingests pipeline on Elasticsearch side to use the dot_expander processor.

1 Like

Thanks for the reply!

I will look into it :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.