[system.auth] redundant wildcard in grok expression

[andrewkroh]

The grok pattern has a redundant operator in the pattern, %{SPACE}+, resulting in the regex (?:\s*)+ which has the + as a redundant operator.

integrations/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml

Line 17 in 5fca8c0

- '^%{TIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?:%{SPACE}+%{GREEDYMULTILINE:_temp.message}$'

Related

• [Filebeat] system/auth module - Remove redundant grok wildcard beats#34550

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)