Before I go create my own, is there a published logstash grep pattern for Shield audit logs? The audit message is published like so for us at the INFO level:
[2015-11-05 09:33:58,959][INFO ][shield.audit.logfile ] [esprod-masterclient00] [transport] [access_granted]\torigin_type=[rest], origin_address=[/10.50.4.6:40433], principal=[search_admin], action=[indices:data/write/index], indices=[category]
Each log level obviously adds and removes fields from the message so its a little work get them all accounted for. Hoping someone has already done it and willing to share?