From 8e8a59d76ac8b2e990b946f5c76d7b7198d22da8 Mon Sep 17 00:00:00 2001
From: Luke Elmers <luke.elmers@elastic.co>
Date: Wed, 14 Apr 2021 22:23:15 -0600
Subject: [PATCH 1/2] Ensure event.category and event.type are still processed
 as strings.

---
 filebeat/module/kibana/audit/ingest/pipeline-json.yml     | 4 ++--
 filebeat/module/kibana/audit/test/test-audit-711.log      | 8 ++++----
 .../kibana/audit/test/test-audit-711.log-expected.json    | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/filebeat/module/kibana/audit/ingest/pipeline-json.yml b/filebeat/module/kibana/audit/ingest/pipeline-json.yml
index 9cc9e6e6423..3ff55477488 100644
--- a/filebeat/module/kibana/audit/ingest/pipeline-json.yml
+++ b/filebeat/module/kibana/audit/ingest/pipeline-json.yml
@@ -16,7 +16,7 @@ processors:
 - set:
     if: ctx.kibana._audit_temp.event.category != null
     field: event.category
-    value: "{{kibana._audit_temp.event.category}}"
+    value: "{{kibana._audit_temp.event.category.0}}"
 - set:
     if: ctx.kibana._audit_temp.event.outcome != null
     field: event.outcome
@@ -24,7 +24,7 @@ processors:
 - set:
     if: ctx.kibana._audit_temp.event.type != null
     field: event.type
-    value: "{{kibana._audit_temp.event.type}}"
+    value: "{{kibana._audit_temp.event.type.0}}"
 
 - remove:
     field: 'ecs'
diff --git a/filebeat/module/kibana/audit/test/test-audit-711.log b/filebeat/module/kibana/audit/test/test-audit-711.log
index aaa2209673e..c928218a9c0 100644
--- a/filebeat/module/kibana/audit/test/test-audit-711.log
+++ b/filebeat/module/kibana/audit/test/test-audit-711.log
@@ -1,4 +1,4 @@
-{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"http_request","category":"web","outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}}
-{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"user_login","category":"authentication","outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}}
-{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"saved_object_create","category":"database","type":"creation","outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}}
-{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"saved_object_get","category":"database","type":"access","outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}}
+{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}}
+{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}}
+{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}}
+{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}}
diff --git a/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json
index bfed337b0e3..5c4999be225 100644
--- a/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json
+++ b/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json
@@ -41,7 +41,7 @@
         "event.timezone": "-02:00",
         "fileset.name": "audit",
         "input.type": "log",
-        "log.offset": 543,
+        "log.offset": 545,
         "message": "User [elastic] has logged in using basic provider [name=basic]",
         "process.pid": 20699,
         "related.user": [
@@ -69,7 +69,7 @@
         "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96",
         "kibana.saved_object.type": "index-pattern",
         "kibana.space_id": "default",
-        "log.offset": 1093,
+        "log.offset": 1097,
         "message": "User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]",
         "process.pid": 20699,
         "related.user": [
@@ -97,7 +97,7 @@
         "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96",
         "kibana.saved_object.type": "index-pattern",
         "kibana.space_id": "default",
-        "log.offset": 1655,
+        "log.offset": 1663,
         "message": "User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]",
         "process.pid": 20699,
         "related.user": [

From 84e3f9b8cd6cfff0d5bf9f6a059f822c35e883bc Mon Sep 17 00:00:00 2001
From: Luke Elmers <luke.elmers@elastic.co>
Date: Thu, 15 Apr 2021 11:05:46 -0600
Subject: [PATCH 2/2] Check that category and type are a list & update tests.

---
 .../kibana/audit/ingest/pipeline-json.yml     |  12 +-
 .../kibana/audit/test/test-audit-711.log      |   8 +-
 .../test/test-audit-711.log-expected.json     |   6 +-
 .../kibana/audit/test/test-audit-713.log      |   4 +
 .../test/test-audit-713.log-expected.json     | 113 ++++++++++++++++++
 5 files changed, 134 insertions(+), 9 deletions(-)
 create mode 100644 filebeat/module/kibana/audit/test/test-audit-713.log
 create mode 100644 filebeat/module/kibana/audit/test/test-audit-713.log-expected.json

diff --git a/filebeat/module/kibana/audit/ingest/pipeline-json.yml b/filebeat/module/kibana/audit/ingest/pipeline-json.yml
index 3ff55477488..2fef934d9e8 100644
--- a/filebeat/module/kibana/audit/ingest/pipeline-json.yml
+++ b/filebeat/module/kibana/audit/ingest/pipeline-json.yml
@@ -14,17 +14,25 @@ processors:
     field: event.action
     value: "{{kibana._audit_temp.event.action}}"
 - set:
-    if: ctx.kibana._audit_temp.event.category != null
+    if: ctx.kibana._audit_temp.event.category != null && ctx.kibana._audit_temp.event.category instanceof List
     field: event.category
     value: "{{kibana._audit_temp.event.category.0}}"
+- set:
+    if: ctx.kibana._audit_temp.event.category != null && ctx.kibana._audit_temp.event.category instanceof String
+    field: event.category
+    value: "{{kibana._audit_temp.event.category}}"
 - set:
     if: ctx.kibana._audit_temp.event.outcome != null
     field: event.outcome
     value: "{{kibana._audit_temp.event.outcome}}"
 - set:
-    if: ctx.kibana._audit_temp.event.type != null
+    if: ctx.kibana._audit_temp.event.type != null && ctx.kibana._audit_temp.event.type instanceof List
     field: event.type
     value: "{{kibana._audit_temp.event.type.0}}"
+- set:
+    if: ctx.kibana._audit_temp.event.type != null && ctx.kibana._audit_temp.event.type instanceof String
+    field: event.type
+    value: "{{kibana._audit_temp.event.type}}"
 
 - remove:
     field: 'ecs'
diff --git a/filebeat/module/kibana/audit/test/test-audit-711.log b/filebeat/module/kibana/audit/test/test-audit-711.log
index c928218a9c0..aaa2209673e 100644
--- a/filebeat/module/kibana/audit/test/test-audit-711.log
+++ b/filebeat/module/kibana/audit/test/test-audit-711.log
@@ -1,4 +1,4 @@
-{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}}
-{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}}
-{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}}
-{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}}
+{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"http_request","category":"web","outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}}
+{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"user_login","category":"authentication","outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}}
+{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"saved_object_create","category":"database","type":"creation","outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}}
+{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.6.0"},"event":{"action":"saved_object_get","category":"database","type":"access","outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}}
diff --git a/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json
index 5c4999be225..bfed337b0e3 100644
--- a/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json
+++ b/filebeat/module/kibana/audit/test/test-audit-711.log-expected.json
@@ -41,7 +41,7 @@
         "event.timezone": "-02:00",
         "fileset.name": "audit",
         "input.type": "log",
-        "log.offset": 545,
+        "log.offset": 543,
         "message": "User [elastic] has logged in using basic provider [name=basic]",
         "process.pid": 20699,
         "related.user": [
@@ -69,7 +69,7 @@
         "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96",
         "kibana.saved_object.type": "index-pattern",
         "kibana.space_id": "default",
-        "log.offset": 1097,
+        "log.offset": 1093,
         "message": "User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]",
         "process.pid": 20699,
         "related.user": [
@@ -97,7 +97,7 @@
         "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96",
         "kibana.saved_object.type": "index-pattern",
         "kibana.space_id": "default",
-        "log.offset": 1663,
+        "log.offset": 1655,
         "message": "User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]",
         "process.pid": 20699,
         "related.user": [
diff --git a/filebeat/module/kibana/audit/test/test-audit-713.log b/filebeat/module/kibana/audit/test/test-audit-713.log
new file mode 100644
index 00000000000..720e1aa126b
--- /dev/null
+++ b/filebeat/module/kibana/audit/test/test-audit-713.log
@@ -0,0 +1,4 @@
+{"@timestamp":"2020-12-09T11:57:34.870-05:00","message":"User is requesting [/foo/spaces/enter] endpoint","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"get"}},"url":{"domain":"0.0.0.0","path":"/foo/spaces/enter","port":5603,"scheme":"https:"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"space_id":"default"},"trace":{"id":"71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5"}}
+{"@timestamp":"2020-12-09T11:59:21.458-05:00","message":"User [elastic] has logged in using basic provider [name=basic]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"user_login","category":["authentication"],"outcome":"success"},"user":{"name":"elastic","roles":["superuser"]},"kibana":{"authentication_provider":"basic","authentication_type":"basic","authentication_realm":"reserved","lookup_realm":"reserved"},"trace":{"id":"a400bdb7-d279-44c1-b009-bc803809872f"}}
+{"@timestamp":"2020-12-09T12:01:36.210-05:00","message":"User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_create","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"b1c237a9-5edd-4653-92bc-350feb8e1530"}}
+{"@timestamp":"2020-12-09T12:01:37.281-05:00","message":"User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":20699},"ecs":{"version":"1.9.0"},"event":{"action":"saved_object_get","category":"database","type":"access","outcome":"success"},"kibana":{"space_id":"default","saved_object":{"type":"index-pattern","id":"325b1500-3a40-11eb-a93c-7bbeae51ac96"}},"user":{"name":"elastic","roles":["superuser"]},"trace":{"id":"17819e5b-187a-4107-944e-6295925d08be"}}
diff --git a/filebeat/module/kibana/audit/test/test-audit-713.log-expected.json b/filebeat/module/kibana/audit/test/test-audit-713.log-expected.json
new file mode 100644
index 00000000000..5c4999be225
--- /dev/null
+++ b/filebeat/module/kibana/audit/test/test-audit-713.log-expected.json
@@ -0,0 +1,113 @@
+[
+    {
+        "@timestamp": "2020-12-09T11:57:34.870-05:00",
+        "event.action": "http_request",
+        "event.category": "web",
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "http.request.method": "get",
+        "input.type": "log",
+        "kibana.space_id": "default",
+        "log.offset": 0,
+        "message": "User is requesting [/foo/spaces/enter] endpoint",
+        "process.pid": 20699,
+        "related.user": [
+            "elastic"
+        ],
+        "service.type": "kibana",
+        "trace.id": "71a7d4d1-e9ba-474c-a844-9d9c1dc11ba5",
+        "url.domain": "0.0.0.0",
+        "url.original": "/foo/spaces/enter",
+        "url.path": "/foo/spaces/enter",
+        "url.port": 5603,
+        "url.scheme": "https:",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    },
+    {
+        "@timestamp": "2020-12-09T11:59:21.458-05:00",
+        "event.action": "user_login",
+        "event.category": "authentication",
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "log.offset": 545,
+        "message": "User [elastic] has logged in using basic provider [name=basic]",
+        "process.pid": 20699,
+        "related.user": [
+            "elastic"
+        ],
+        "service.type": "kibana",
+        "trace.id": "a400bdb7-d279-44c1-b009-bc803809872f",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    },
+    {
+        "@timestamp": "2020-12-09T12:01:36.210-05:00",
+        "event.action": "saved_object_create",
+        "event.category": "database",
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "unknown",
+        "event.timezone": "-02:00",
+        "event.type": "creation",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96",
+        "kibana.saved_object.type": "index-pattern",
+        "kibana.space_id": "default",
+        "log.offset": 1097,
+        "message": "User is creating index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]",
+        "process.pid": 20699,
+        "related.user": [
+            "elastic"
+        ],
+        "service.type": "kibana",
+        "trace.id": "b1c237a9-5edd-4653-92bc-350feb8e1530",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    },
+    {
+        "@timestamp": "2020-12-09T12:01:37.281-05:00",
+        "event.action": "saved_object_get",
+        "event.category": "database",
+        "event.dataset": "kibana.audit",
+        "event.kind": "event",
+        "event.module": "kibana",
+        "event.outcome": "success",
+        "event.timezone": "-02:00",
+        "event.type": "access",
+        "fileset.name": "audit",
+        "input.type": "log",
+        "kibana.saved_object.id": "325b1500-3a40-11eb-a93c-7bbeae51ac96",
+        "kibana.saved_object.type": "index-pattern",
+        "kibana.space_id": "default",
+        "log.offset": 1663,
+        "message": "User has accessed index-pattern [id=325b1500-3a40-11eb-a93c-7bbeae51ac96]",
+        "process.pid": 20699,
+        "related.user": [
+            "elastic"
+        ],
+        "service.type": "kibana",
+        "trace.id": "17819e5b-187a-4107-944e-6295925d08be",
+        "user.name": "elastic",
+        "user.roles": [
+            "superuser"
+        ]
+    }
+]
\ No newline at end of file