Found the problem, too many square brackets under add_field.
"[auditd][log][msg]" should be "[audit.log][msg]"
"[auditd][log][auditid]" should be "[auditd.log][auditid]"
"[auditd][log][auditmesg]" should be '"[auditd.log][auditmesg]"
Found the problem, too many square brackets under add_field.
"[auditd][log][msg]" should be "[audit.log][msg]"
"[auditd][log][auditid]" should be "[auditd.log][auditid]"
"[auditd][log][auditmesg]" should be '"[auditd.log][auditmesg]"
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.