Pipeline grok failure elastic on audit log

Trying to setup security audit logging in a new 6.6.2 stack. Using filebeat elasticsearch module to ingest the _audit.log file.

Get this error:

Provided Grok expressions do not match field value: [{"@timestamp":"2019-03-22T18:09:33,172", "node.name":"elk-foo2", "node.id":"ygvcrGxMSa2xLqVa47w8xA", "event.type":"transport", "event.action":"access_granted", "user.name":"

I wonder if this is still my earlier timezone bug or something else?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.