GROK pattern help for Audit Log

ataylor · September 25, 2023, 12:59pm

I am struggling to find an appropriate GROK pattern to appropriately dissect my log that is being generated by the xpack Audit.

My Logs currently look like

{"type":"audit", "timestamp":"2023-09-07T14:34:58,359+0100", "node.id":"MFOk8jclQlW3-fVz7xHghQ", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"kibana_system", "user.realm":"reserved", "user.roles":["kibana_system"], "origin.type":"transport", "origin.address":"xx.xx.xx.xxx:xxxxx", "request.id":"5f7V2f5HQWeMIdi3B1qcZQ", "action":"cluster:monitor/nodes/info[n]", "request.name":"NodeInfoRequest"}

I am quite surprised that there doesn't appear to be a pre-written filter for this, given that it is the log generated by elastic.

Can anyone provide any advice

leandrojmp · September 25, 2023, 1:41pm

Hello,

This log is a json document, you should use the json filter, not grok.

There is, but you need to use filebeat or elastic agent, check this blog post.

If you still want to use Logstash you will probably need an ingests pipeline on Elasticsearch side to use the dot_expander processor.

ataylor · September 25, 2023, 2:48pm

Thanks for the reply!

I will look into it

system · October 23, 2023, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I create a grok match pattern for a log? Logstash	1	450	September 9, 2017
Ingest Github Audit logs with Logstash Elasticsearch	2	416	October 16, 2023
Customised Grok pattern Logstash	14	693	March 12, 2018
Grok filter extracting fields from message Logstash	9	2429	July 21, 2020
How to filter my logs Logstash	9	517	June 29, 2018

GROK pattern help for Audit Log

Related Topics