Hi All,
Please I need help on how to extract the timestamp from "type=SYSCALL msg=audit(1701877882.123:5786893): " in the below code using grok filter
{
"_index": "auditbeat-2023.12.06",
"_type": "_doc",
"_id": "0lnTP4wBwVgAs3eEtizy",
"_version": 1,
"_score": null,
"_source": {
"source.port": "0000",
"event": {
"action": "accepted-connection-from",
"original": [
"type=SYSCALL msg=audit(1701877882.123:5786893): arch=c000003e syscall=43 success=yes exit=3 a0=c a1=0 a2=0 a3=0 items=0 ppid=1 pid=2836 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=\"wazuh-modulesd\" exe=\"/var/ossec/bin/wazuh-modulesd\" key=\"external-access\""
],
"outcome": "success",
"category": "audit-rule"
},
"service": {
"type": "auditd"
},
"destination.ip": "127.0.0.4",
"@timestamp": "2023-12-06T15:51:22.123Z",
"tag_3": "beats_input_raw_event",
"auditd": {
"message_type": "syscall",
"sequence": 5786893,
"summary": {
"actor": {
"secondary": "root",
"primary": "unset"
},
"object": {
"type": "socket"
},
"how": "/var/ossec/bin/wazuh-modulesd"
},
"data": {
"tty": "(none)",
"arch": "x86_64",
"a3": "0",
"a0": "c",
"a1": "0",
"items": "0",
"exit": "3",
"a2": "0",
"syscall": "accept"
},
"result": "success"
},
"tags": [
"_grokparsefailure"
],
"host": {
"name": "userB",
"architecture": "x86_64",
"containerized": false,
"os": {
"version": "14.04.6 LTS, Trusty Tahr",
"codename": "trusty",
"platform": "ubuntu",
"name": "Ubuntu",
"family": "debian",
"kernel": "3.13.0-24-generic"
},
"id": "26b1ceca54c197067320f0bf634024c6",
"hostname": "userB"
},
"user": {
"name": "root",
"group": {
"id": "0",
"name": "root"
},
"effective": {
"name": "root",
"group": {
"id": "0",
"name": "root"
},
"id": "0"
},
"filesystem": {
"name": "root",
"group": {
"id": "0",
"name": "root"
},
"id": "0"
},
"saved": {
"name": "root",
"group": {
"id": "0",
"name": "root"
},
"id": "0"
},
"id": "0"
},
"signature_id": "777777",
"@version": "1",
"signature": "auditbeat",
"destination.port": "0000",
"agent": {
"version": "7.4.1",
"ephemeral_id": "e1e84631-bf14-4834-8205-30f01c94246c",
"id": "1b2ffabb-287b-4a21-8e9e-7886e49673b0",
"type": "auditbeat",
"hostname": "userB"
},
"tag_1": "external-access",
"peter.field": "auditd",
"application": "auditbeat",
"process": {
"ppid": 1,
"name": "wazuh-modulesd",
"pid": 2836,
"executable": "/var/ossec/bin/wazuh-modulesd"
},
"ecs": {
"version": "1.1.0"
},
"source.ip": "127.0.0.2",
"tag_2": "beats123",
"network.transport": "udp"
},
"fields": {
"@timestamp": [
"2023-12-06T15:51:22.123Z"
]
},
"sort": [
1701877882123
]
}