search

pschiffe / ipa-log-config

Tool for log forwarding configuration on IPA servers and clients
https://www.freeipa.org/page/Centralized_Logging
GNU General Public License v2.0
32 stars 14 forks source link

action field not making it into elasticsearch #8

Closed theWizK closed 7 years ago

theWizK commented 7 years ago

Hi there.. I'm trying to search for user logins using the searches / dashboards set up for showing user logins, but I notice that the action field is not making it into elasticsearch. I'm not sure where that field should be getting introduced, but I think possibly it is as part of the normalize rules for the audit log. I don't fully understand how that turns into fields that end up being turned into the $!all-json variable used by the omelasticsearch module. In either case -- the search and dashboard aren't working, I believe because they required the action field to be identified and they never are. I definitely see messages if I search for type=USER_LOGIN. Any help would be appreciated.

theWizK commented 7 years ago

sorry -- I posted this to the wrong project.