import and parse syslog file to Elastisearch

Question

I need to import a set of SYSLOG files to elasticsearch. I'am using a filebeat agent. I succeeded the data importation, however the data in elasticsearch is not parsed. This is the input file:

Feb 14 03:43:40 my_host_name run-parts(/etc/cron.daily)[1544] finished rhsmd

Feb 14 03:43:40 my_host_name anacron[240673]: Job `cron.daily' terminated (produced output)

Feb 14 03:43:41 my_host_name anacron[240673]: Normal exit (1 job run)

Feb 14 03:43:41 my_host_name postfix/pickup[241860]: 7E8CFC00BB50: uid=0 from=<root>

I work on the 7.15.2 version of Filebeat and Elasticsearch. I get an index output with the field message not parsed. That contain for example the hole line

 Feb 14 03:43:41 my_host_name anacron[240673]: Normal exit (1 job run)

On the versions 8.0 there is a processors option to add to the configuration file that parse this field:

processors:
  - syslog:
      field: message

However in the version 7.15.2 this option is not available. How can I parse this Field in the Filebeat configuration ?

Thank you for your help.

score 0 · Answer 1 · answered Jul 28 '22 at 15:51

0

What you could do is either use the dissect or script processors to parse the values according to your needs. Not saying this is the best option, but it is an option

answered Jul 28 '22 at 15:51

Mike R

464
5
16

import and parse syslog file to Elastisearch

1 Answers1