Extract message to additional fields

Hi All,

I am looking for some help, I have configured filebeat to collect the CISCO syslogs and push to elasticsearch, it's working fine.

I am looking for extracting the data from log.original and messages to addition fields (Username, IP, Group)

log.original : %ASA-5-713119: Group = RA-VPN, Username = user-1, IP = , PHASE 1 COMPLETED

message: Group = RA-VPN, Username = user-1, IP = , PHASE 1 COMPLETED

Can someone help understand how this can achieve this?

Do I have to do some changes in Filebeat level? Elastic search query itself

What version of Elasticsearch are you running?

Starting version 7.5.0, Elasticsearch has a index-level setting called index.final_pipeline. You could create a higher-order index template for filebeat-* that defines this setting to a custom ingest node pipeline you create.

This pipeline could make the additional modifications you are looking to make to your data, before it get's indexed into Elasticsearch. Note that this pipeline would operate on any documents being indexed into filebeat-*, so you'll want to make sure to add conditional logic to process only documents for data being indexed by the cisco module.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.