It is observed that filebeat is unable to parse the syslog message of format RFC-3164 properly when priority value is given as <0> in syslog message. For other priorities filebeat is working as expected.
For the above reason filebeat syslog input will never able to parse syslog of Emergency kernal messages.
This is a major bug of filebeat syslog input plugin
6.4.1 and 6.6.x
1. Enable "syslog" type prospector using "tcp" protocol in "filebeat.yml"
- type: syslog
2. Start filebeat
# filebeat -e
3. Connect and send data using tcp client to filebeat
# nc localhost 9000
<0>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8
Output observed in "syslog" field of parsed message:
Expected value for "syslog" field of parsed message:
I have verified this in different filebeat versions as well as in currently stable 6.6.x version. It is not working.
I am able to identify some source code level mistake for the above scenario. I have locally fixed this issue in code and it is working fine.
So I am going to raise an issue in github as well as will upload the patch for the fix.
Kindly let me know for any suggestion.