Hi,
I switched from the ‘classic’ Filebeat to Elastic-Agent. Very handy, but there is a difference how events are being parsed.
My Syslog events from devices and Raspberry Pies are routed via a central syslog server. And from there via Elastic-Agent to Elastic.
In the old way an event in Elastic was parsed like this:
- host.name: Syslogserver
- host.hostname: Original sender (like a Raspberry Pi)
- message: the original message without the headers (date / time / host)
Now it’s like this:
- host.name: Syslogserver
- host.hostname: Syslogserver
- message: the whole original message with the headers
Now stuff like reports and SIEM aren’t working correctly anymore.
Thanks,
Herman