Skip to content

Elasticsearch/audit fileset fails with grok failure #10035

Closed
Closed
Elasticsearch/audit fileset fails with grok failure#10035
Assignees
ycombinator
Labels
Feature:Stack MonitoringFilebeatFilebeatbugmodule
@ycombinator

Description

@ycombinator
ycombinator
opened on Jan 12, 2019

Observed on master.

The elasticsearch/audit fileset does not know how to parse the following log line:

[2019-01-08T14:15:02,011] [NodeName-0] [transport] [access_granted]     origin_type=[transport], origin_address=[192.168.2.1], principal=[username], realm=[active_directory], roles=[kibana_user,my_custom_role_1,foo_reader], action=[indices:data/read/search[free_context]], indices=[foo-2019.01.04,foo-2019.01.03,foo-2019.01.06,foo-2019.01.05,foo-2019.01.08,servicelog-2019.01.07], request=[SearchFreeContextRequest]

It fails with the following error:

Provided Grok expressions do not match field value: [[2019-01-08T14:15:02,011] [NodeName-0] [transport] [access_granted]     origin_type=[transport], origin_address=[192.168.2.1], principal=[username], realm=[active_directory], roles=[kibana_user,my_custom_role_1,foo_reader], action=[indices:data/read/search[free_context]], indices=[foo-2019.01.04,foo-2019.01.03,foo-2019.01.06,foo-2019.01.05,foo-2019.01.08,servicelog-2019.01.07], request=[SearchFreeContextRequest]]

Metadata

Metadata

Assignees

Labels

Feature:Stack MonitoringFilebeatFilebeatbugmodule

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions