Hello everyone.
I’m using an app Auditing/Logging. It is writing logs to separate file /var/log/nextcloud/audit.log.
In system.yml (system module) I’ve already added it for parsing and now I can see it in Discover panel in Kibana. The problem is that I see the most important part of this log like a simple text and not like separate fields in table. I’d like to see remoteAddr, user, method, message and so on in Kibana.
I was trying to use “decode json fields” and “rename” in processors, but no luck…
Can anyone help me with this task?
My processors in Filebeat.yml looks like that:
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- decode_json_fields:
fields: "remoteAddr"
process_array: false
max_depth: 1
target: "message"
overwrite_keys: false
add_error_key: true
- rename:
fields:
- from: "message.url"
to: "url.path"
- from: "message.remoteAddr"
to: "client.ip"
- from: "message.userAgent"
to: "logstash.log.userAg"
- from: "message.message"
to: "event.action"