Hello,
My current setup on my machine is:
Elasticsearch 6.5.4
Kibana 6.5.4
logstash 6.5.4
On a remote machine:
filebeat 6.5.4
The output for filebeat is logstash and its configured to pull for the var/audit folder. I'm able to see the var/audit/*.not_terminated logs but the message body contains weird characters.
How do I filter this out?
See below for an example of the garbled test:
f��@�J�(launchd::Audit recovery#)/var/audit/20190117194635.crash_recovery'�f9��@�J�(launchd::Audit startup'�9}�e@�Jyqasflags-am_success-am_failure$������'�}X��@�K@$��������(begin evaluation'�Xv��@�KC$��������(config.modify.com.apple.wifi(config.modify.'�v���@�KC$��������(config.modify.com.apple.wifi(client /usr/libexec/airportd(creator /usr/libexec/airportd'��V��@�KC$��������(end evaluation'�V}�e@�M�q0asflags-am_success-am_failure$������'�}}�e@�M�qasflags-am_success-am_failure$������'�}}�g@�M�qasflags-am_success-am_failure$������'�}X��@�N�$����a��b(begin evaluation'�Xt��@�N�$����a��b(system.login.console(system.login.console'�t��@�NH$����a��b(system.login.console( mechanism builtin:policy-banner'����@�O�$����\\��(EVerify password for record type Users 'admin' node '/Local/Default''�������@�X$����\\��