Hello Team,
I'm using the audit integration to parse audit logs. For the audit record type USER_CMD, the user.name field is not being mapped; only the user.id is present.
The log entry contains AUID, which represents the user.name, but it is not displaying in Kibana. Why is this happening?
Hello Maxwell_Borden, Thanks for you reply!
I have installed the elastic agent in end point where i want to send the logs to ELK, The Elastic agent version is 8.14.3 and the integration version is 3.19.2 i added the policy to the elastic agent and attached the audit log integration
This looks to me like the same issue as was fixed here in integration version 3.20.3 , where an enriched format log with a msg='...' field was not parsed correctly, can you try with that newer ingest pipeline?
Do i need to create a new ingest pipeline now and add integration to that?
Actually when i search for the pipeline in stack management > ingest pipeline there are 2 pipeline [logs-auditd.log-3.19.2] and [logs-auditd.log-3.15.0] this 3.15.0 pipeline is storing the AUID value but 3.19.2 is not! But the integration is using 3.19.2 pipeline only how can i change it to 3.15.0
You cannot change the ingest pipeline used by the integration, if the integration is on version 3.19.2 it will use the ingest pipeline with this version.
The old pipeline should've been deleted, probably it wasn't deleted because of some bug.
If you are having any issue with the parsing of an integration the first thing to do is to upgrade to the last version, in this case is version 3.21.0.
You mentioned you are using elastic agent 8.14.3, does the Kibana version correspond with this or is it older than 8.11? If that is the case the only way to be able to see newer versions of the integrations is by upgrading it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
