Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ElasticSearch ingest pipeline for mysql audit
{
"mysqlaudit_log": {
"description": "Ingest pipeline for MySQL Audit Log Format",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"^%{YEAR:year}%{MONTHNUM:month}%{MONTHDAY:day}%{SPACE}%{TIME:time},%{GREEDYDATA:host},%{WORD:username},%{GREEDYDATA:client_hostname},%{INT:connection_id},%{INT:query_id},%{MYSQLAUDIT_EVENT_TYPE_RW:event_type},%{WORD:database_name},%{WORD:table}",
"^%{YEAR:year}%{MONTHNUM:month}%{MONTHDAY:day}%{SPACE}%{TIME:time},%{GREEDYDATA:host},%{WORD:username},%{GREEDYDATA:client_hostname},%{INT:connection_id},%{INT:query_id},%{MYSQLAUDIT_EVENT_TYPE_QUERY:event_type},%{GREEDYDATA:database_name},'%{GREEDYDATA:query}',%{INT:return_code}",
"^%{YEAR:year}%{MONTHNUM:month}%{MONTHDAY:day}%{SPACE}%{TIME:time},%{GREEDYDATA:host},%{WORD:username},%{GREEDYDATA:client_hostname},%{INT:connection_id},%{INT:query_id},%{MYSQLAUDIT_EVENT_TYPE_CONNECT:event_type},%{WORD:database_name},%{WORD:table}"
],
"pattern_definitions": {
"MYSQLAUDIT_EVENT_TYPE_QUERY": "QUERY",
"MYSQLAUDIT_EVENT_TYPE_RW": "(READ|WRITE)",
"MYSQLAUDIT_EVENT_TYPE_CONNECT": "(CONNECT|DISCONNECT|FAILED_CONNECT)"
}
}
}
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment