Hi!
I'm trying to decode a plain JSON text log file (this is a nextcloud audit.log actually) via filebeat 6.6. Did tried the solutions from the manual, but I finished with the following crash in the processing:
... FileStateOS:file.StateOS{Inode:0x1400a1, Device:0x97f}}}, Flags:0x1} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [url] tried to parse field [url] as object, but found a concrete value"}
My current config is:
filebeat.inputs:
- type: log
input_type: log
json.keys_under_root: true
enabled: true
paths:
- /data/audit.log
scan_frequency: 5s
The source JSON log lines look like this:
"reqId":"XG0f2MctF9CX22NDyyjr7gAAAAI","level":1,"time":"20.02.2019, 12:37:28","remoteAddr":"192.168.0.2","user":"testuser","app":"admin_audit","method":"POST","url":"\/index.php\/login","message":"Login successful: \"testuser\"","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko\/20100101 Firefox\/65.0","version":"15.0.4.0"}
"reqId":"XG0f2r1uKLHPmdlOgqNsTgAAAI8","level":1,"time":"20.02.2019, 12:37:30","remoteAddr":"192.168.0.2","user":"testuser","app":"admin_audit","method":"GET","url":"\/index.php\/core\/preview?fileId=177&c=bbd4cf604563e97aa05fbbc3357a34e4&x=250&y=250&forceIcon=0","message":"Preview accessed: \"\/Nextcloud.png\" (width: \"250\", height: \"250\" crop: \"1\", mode: \"fill\")","userAgent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko\/20100101 Firefox\/65.0","version":"15.0.4.0"}
I do see this whole message in Kibana, but is is ever possible to decompose into elasticsearch?