We are using Filebeat 8.8.2 to parse syslogs. When it fails to parse a syslog, it logs a json error message that has duplicate "message" keys, making it invalid json - I believe this is a bug.
This occurs with multiple syslog rfcs, including 5424 and 3164. Other log messages unrelated to syslog parsing on the same instance do not contain a duplicate message key.
Sample config
- type: syslog
format: rfc5424
protocol.udp:
host: "0.0.0.0:5073"
fields_under_root: true
Sample Logs
{"log.level":"error","@timestamp":"2024-05-23T17:19:12.302Z","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":286},"message":"can't parse event as syslog rfc3164","service.name":"filebeat","message":"1,2023/07/11 13:02:00,12001075189,TRAFFIC,end,2561,2023/07/11 13:02:00,10.61.26.131,10.61.25.21,,,Access to VAM Webpage,,,ssl,vsys1,OT-DMZ-Jump,OT-DMZ-VM,vlan.262,vlan.25,Forward to Panorama,2023/07/11 13:02:00,60285,1,60138,8443,0,0,0x10041c,tcp,allow,1533,969,564,11,2023/07/11 13:02:00,0,not-resolved,,7.21654E+18,0x8000000000000000,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,,6,5,tcp-fin,42,0,0,0,,CGY-DC1-OT-PA-820-01,from-policy,,,0,,0,,N/A,0,0,0,0,9e190216-6dd5-4018-aece-e349dc112da7,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2023-07-11T13:01:28.277-06:00,,,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no,0","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2024-05-23T17:19:20.631Z","log.logger":"syslog","log.origin":{"file.name":"syslog/input.go","file.line":298},"message":"can't parse event as syslog rfc5424","service.name":"filebeat","message":"<75>1 2003-12-24T05:14:15.000000003-07:00 mymachine.example.com evntslog - ID47 - It is possible to be tooo specific on the time, though ","ecs.version":"1.6.0"}