GROK pattern help for Audit Log

ataylor · September 25, 2023, 12:59pm

I am struggling to find an appropriate GROK pattern to appropriately dissect my log that is being generated by the xpack Audit.

My Logs currently look like

{"type":"audit", "timestamp":"2023-09-07T14:34:58,359+0100", "node.id":"MFOk8jclQlW3-fVz7xHghQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"kibana_system", "user.realm":"reserved", "user.roles":["kibana_system"], "origin.type":"transport", "origin.address":"xx.xx.xx.xxx:xxxxx", "request.id":"5f7V2f5HQWeMIdi3B1qcZQ", "action":"cluster:monitor/nodes/info[n]", "request.name":"NodeInfoRequest"}

I am quite surprised that there doesn't appear to be a pre-written filter for this, given that it is the log generated by elastic.

Can anyone provide any advice

leandrojmp · September 25, 2023, 1:41pm

Hello,

This log is a json document, you should use the json filter, not grok.

There is, but you need to use filebeat or elastic agent, check this blog post.

If you still want to use Logstash you will probably need an ingests pipeline on Elasticsearch side to use the dot_expander processor.

ataylor · September 25, 2023, 2:48pm

Thanks for the reply!

I will look into it

system · October 23, 2023, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.