Hi,
I wrote a custom parser with dissect processor for collecting fail2ban-logs. Those are working fine for the servers where logs are being collected using filebeat however I am not sure how do I add those with where I have Elastic-Agent installed?
Any clue please?
TIA
Are you parsing in the processors in the filebeat or an ingest pipeline?
Are you using the Custom Logs Integration with the Agent?
You can use the Custom Logs Integration -> Advanced -> Processors
Nope I am ingesting the logs with filebeat and parsing with processor. I used dissect processor and wondering how do I replicate with servers using elatic-agent?
Since Elastic-Agent is using filebeat in the background wondering if I could modifty that config and pickup and parse the logs using my processor? My logs are being dumped in /var/log/fail2ban.log and here are my dissec_processor
filebeat.inputs:
- type: log
paths:
- /var/log/fail2ban.log
processors:
- drop_event:
when:
contains:
message: INFO
- dissect:
tokenizer: '%{timestamp} fail2ban.actions %{process.pid}: NOTICE %{application|string} %{action|string} %{source.ip|ip}'
field: "message"
Thanks that resolved the issue 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.