I have several devices sending syslogs to my server, but in Kibana, all of them have the exact same host/agent name, so its impossible to visualize groups. For example, if I wanted to see all alerts from my core switch, there wouldn't be anything to differentiate its messages from an AP.
Is this intended behavior?
I've recently noticed this as well. It seems like this is intentional, but I'm not sure it makes any sense. There should be a way to differentiate sources.
Unless there's something we're missing, I'll be going back to logstash to solve this.
I'm not sure I'm advanced enough to do this. Is there
documentation on how to replace filebeat with logstash? Or is
logstash just another link in the chain?
I'm not sure there's something that specific. Logstash supports syslog out of the box. https://www.elastic.co/guide/en/logstash/current/plugins-inputs-syslog.html
You may need to make some changes in your environment depending on what you're logging. Cisco, for example, doesn't use RFC3164 for syslog. But if you search around you'll find some config samples for Cisco. If you get hung up, you can always ask in the Logstash forum. It is easy to get lost in the config.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.