Pipeline grok failure elastic on audit log

rugenl · March 22, 2019, 10:18pm

Trying to setup security audit logging in a new 6.6.2 stack. Using filebeat elasticsearch module to ingest the _audit.log file.

Get this error:

Provided Grok expressions do not match field value: [{"@timestamp":"2019-03-22T18:09:33,172", "node.name":"elk-foo2", "node.id":"ygvcrGxMSa2xLqVa47w8xA", "event.type":"transport", "event.action":"access_granted", "user.name":"

I wonder if this is still my earlier timezone bug or something else?

github.com/elastic/beats

Use beat.timezone instead of event.timezone

elastic:6.7 ← ycombinator:bugfix-timezone-field-67

opened 05:26PM - 08 Mar 19 UTC

ycombinator

+9 -8

In 6.x the `add_locale` processor will [set the `beat.timezone` field](https://g…ithub.com/elastic/beats/blob/6.7/libbeat/processors/add_locale/add_locale.go#L89) (as opposed to `event.timezone`, which is [set starting 7.0](https://github.com/elastic/beats/blob/master/libbeat/processors/add_locale/add_locale.go#L89)). So any 6.x ingest pipelines looking for the timezone field should look for `beat.timezone`, not `event.timezone`. Fixes #11055.

system · April 19, 2019, 10:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat TimeZone Issue Beats filebeat	4	2019	August 28, 2019
Date processor timezone config problem Elasticsearch	2	1490	October 31, 2019
Can't use filebeat [beat][timezone] with logstash date filter plugin? Logstash	4	765	April 8, 2019
Filebeat pipeline setup for system module ignores var.convert_timezone: true? Beats filebeat	3	1725	June 13, 2019
Filebeat 7.3 Timezone Issues with System Module Beats filebeat	6	1007	September 18, 2019

Pipeline grok failure elastic on audit log

Related topics