Can't parse event as syslog rfc3164


We are facing a known issue with syslog input of filebeat, And running our Elasticsearch cluster on CentOS Linux release 7.7.1908 (Core) VM environment.

We are working with Cisco ASA and FTD firewall logs, But on filebeat journalctl getting following error messages:

Dec 17 19:11:03 ELKFWLOGGING filebeat[8010]: 2019-12-17T19:11:03.214+0530        ERROR        [syslog]        syslog/input.go:134        can't parse event as syslog rfc3164        {"message": "<166>Dec 17 2019 19:11:03 : %ASA-6-302016: Teardown UDP connection 3187545438 for XXXXX: to XXXXX: duration 0:00:00 bytes 56\n"}
Dec 17 19:11:03 ELKFWLOGGING filebeat[8010]: 2019-12-17T19:11:03.215+0530        ERROR        [syslog]        syslog/input.go:134        can't parse event as syslog rfc3164        {"message": "<166>Dec 17 2019 19:11:03 : %ASA-6-302015: Built inbound UDP connection 3187545439 for XXXXX: to XXXXX: (\n"}

My Filebeat file configuration is:

- type: syslog
    host: ""

  path: ${path.config}/modules.d/*.yml

  index.number_of_shards: 1
  index.codec: best_compression
  #_source.enabled: false

  host: ""

  hosts: [""]

  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

The Cisco module config file at /etc/filebeat/modules.d/cisco.yml configuration is:

- module: cisco
    enabled: true
    var.input: syslog
    var.syslog_port: 9001
    var.log_level: 6

    enabled: true
    #var.input: syslog
    #var.syslog_host: localhost
    #var.syslog_port: 9003
    #var.log_level: 7

    enabled: true
    #var.input: syslog
    #var.syslog_host: localhost
    #var.syslog_port: 9002

We are receiving logs at elasticsearch end but without parsing!

We've tested the cluster with both Version 7.4.2 and the latest 7.5.0, But still don't found any working solution suggested on discuss, github, etc. forums about the subjected issue.

Any help will be much appreciated :slight_smile:


We have found the solution of this issue!

We made just a small change into the filebeat.yml file by removing the additionally configured input type (Which of course added by us!), i.e.

- type: syslog
    host: ""

And configure the firewall syslog on 9001 port for our filebeat host node, as per defaults in /etc/filebeat/modules.d/cisco.yml.

Since cisco module is already contains the syslog input configuration in it. So there is no need to additionally define another syslog input on filebeat.yml file!

It resolved the issue of Can't parse event as syslog rfc3164 error logs.`

I hope this information will help someone like me. :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.