Hi. In my environment I have various hardware firewalls such as Cisco, and other vendors. And I also have Linux servers, so I log events from Apache, OS and auditd. I log all events to central syslog server, from there I would ship them to elasticsearch using filebeat. In past I would write my own grok expressions for Logstash, however lately I noticed that filebeat includes a lot of built in modules.
The problem I am facing is that it only works for me for syslog and auth. When I want to use auditd and fortinet modules, they do not work. Grok expressions do not expect Syslog format timestamp, hence log lines are not parsed and not appear properly in my elasticsearch. What would you recommend? Shall I roll back to writing my own grok expressions in Logstash?