full_audit:prefix = %u|%U|%I|%m|%S|%T|%D full_audit:success = mkdir rename u

1. full_audit:prefix = %u|%U|%I|%m|%S|%T|%D
2. full_audit:success = mkdir rename unlink rmdir pwrite
3. full_audit:failure = connect
4. full_audit:facility = local1
5. full_audit:priority = NOTICE INFO
6.  
7. Oct 30 20:22:04 localhost smbd[27520]: stock|stock|192.168.0.6|HOSTNAME|adminstorage|2014/10/30 20:22:04|STOCKBOX|rename|ok|Media/config.txt|.recycle/stock/Media/config.txt
8.  
9. mutate {
10. gsub => ["message","|"," "]
11. }
12.  
13. Oct 30 20:22:04 localhost smbd[27520]: stock stock 192.168.0.6 HOSTNAME adminstorage 2014/10/30 20:22:04 STOCKBOX rename ok Media/config.txt .recycle/stock/Media/config.txt
14.  
15. %{MONTH:syslog_month} %{MONTHDAY:syslog_day} %{TIME:syslog_time} localhost smbd[%{INT:pid}]: %{USER:user_service} %{USER:user_session} %{IP:client_ip} %{HOST:client_NETBIOS} %{GREEDYDATA:name_of_service} %{YEAR:samba_year}/%{MONTHNUM:samba_month}/%{MONTHDAY:samba_day} %{TIME:samba_time} %{USER:domain} %{WORD:action} %{WORD:sucess} %{GREEDYDATA:path}