Use a grok filter to extract the timestamp, hostname, whatever percona-audit is, and finally the JSON payload into separate fields. The log format looks very similar to syslog so it should be easy to find something that's very close to what you need (and http://grokconstructor.appspot.com/ can also be helpful). Then use a json filter to parse the field with the JSON payload.