Hello guys,
I need a your help.
I did a filter with grok, but when I go to kibana I did not see the field of the filter.
The log:
type=USER_ACCT msg=audit(1666101680.397:1224): pid=665272 uid=0 auid=525000037 ses=27 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_succeed_if acct="root" exe="/usr/bin/su" hostname=teste.cloud addr=? terminal=pts/0 res=success'UID="root" AUID="root"
My filter:
if "PAM:accounting" in [message]{
grok {
match => { "message" => "type=%{WORD:audit_type} msg=audit\(%{NUMBER:audit_epoch:timestamp}:%{NUMBER:audit_counter}\): pid=%{NUMBER:audit_pid} uid=%{NUMBER:audit_uid} auid=%{NUMBER:audit_audid} ses=%{NUMBER:ses} subj=%{GREEDYDATA:subj} msg=\'op=%{GREEDYDATA:operation} grantors=%{GREEDYDATA:pam_login} acct=\"%{GREEDYDATA:acct_user}\" exe=\"%{GREEDYDATA:exec}\" hostname=%{GREEDYDATA:hostname} addr=%{GREEDYDATA:ipaddr} terminal=%{GREEDYDATA:terminal} res=%{GREEDYDATA:result}(\') ?UID=\"%{GREEDYDATA:uid_name}\" AUID=\"%{GREEDYDATA:auid_name}\""}
}
}
What i can see in Kibana:
Thank you!