[CheckPoint] [Filebeat 7.8] Provided Grok expressions do not match field value

Hello all,

I want to send logs directly to Elastic from my CheckPoint Management.
This is my checkpoint.yml configuration :

module: checkpoint
firewall:
enabled: true
var.syslog_host: 10.10.10.1
var.syslog_port: 514

on my filebeat.yml, i simply configured the output to elastic

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["ElasticHost:9200"]  

Logs are sent without issue. I review a tcpdump from udp port 514 and I getting logs. I can see them in Kibana. But I have this error:

Provided Grok expressions do not match field value: [<134>1 2020-06-23T00:33:20Z CP_CheckPoint 5561 - [action:\"Encrypt\"; flags:\"417028\"; ifdir:\"inbound\"; ifname:\"eth2\"; logid:\"0\"; loguid:\"{ox}\"; origin:\"10.10.10.2\"; originsicname:\"CN=C,O=LA..mrqm2j\"; sequencenum:\"4\"; time:\"1592872400\"; version

Maybe I dont know if this is an issue, because I follow the steps on the filebeat checkpoint module.

3 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.