Audit log parsing in ELK (Elastic/Kibana/Logstash)

Hello everyone.
I’m using an app Auditing/Logging. It is writing logs to separate file /var/log/nextcloud/audit.log.
In system.yml (system module) I’ve already added it for parsing and now I can see it in Discover panel in Kibana. The problem is that I see the most important part of this log like a simple text and not like separate fields in table. I’d like to see remoteAddr, user, method, message and so on in Kibana.
I was trying to use “decode json fields” and “rename” in processors, but no luck…
Can anyone help me with this task?
My processors in Filebeat.yml looks like that:

  - add_host_metadata:
      when.not.contains.tags: forwarded
  - decode_json_fields:
      fields: "remoteAddr"
      process_array: false
      max_depth: 1
      target: "message"
      overwrite_keys: false
      add_error_key: true
  - rename:
        - from: "message.url"
          to: "url.path"
        - from: "message.remoteAddr"
          to: "client.ip"
        - from: "message.userAgent"
          to: "logstash.log.userAg"
        - from: "message.message"
          to: "event.action"

@Delvin I improved the file from Seeing Successful Logins - #11 by J-Doc and published it here GitHub - marcohald/filebeat-nextcloud