Extract message to additional fields

Sivakumar_K · June 8, 2020, 3:20pm

Hi All,

I am looking for some help, I have configured filebeat to collect the CISCO syslogs and push to elasticsearch, it's working fine.

I am looking for extracting the data from log.original and messages to addition fields (Username, IP, Group)

log.original : %ASA-5-713119: Group = RA-VPN, Username = user-1, IP = , PHASE 1 COMPLETED

message: Group = RA-VPN, Username = user-1, IP = , PHASE 1 COMPLETED

Can someone help understand how this can achieve this?

Do I have to do some changes in Filebeat level? Elastic search query itself

shaunak · June 8, 2020, 6:35pm

What version of Elasticsearch are you running?

Starting version 7.5.0, Elasticsearch has a index-level setting called index.final_pipeline. You could create a higher-order index template for filebeat-* that defines this setting to a custom ingest node pipeline you create.

This pipeline could make the additional modifications you are looking to make to your data, before it get's indexed into Elasticsearch. Note that this pipeline would operate on any documents being indexed into filebeat-*, so you'll want to make sure to add conditional logic to process only documents for data being indexed by the cisco module.

system · July 6, 2020, 8:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[UNSUPPORTED] Extract fields from syslog messages Beats filebeat	5	896	December 8, 2016
Create new Fields to Filter by Beats filebeat	3	376	September 10, 2019
How to extract string from the log and create a new field and send to elastic search index Beats filebeat	3	621	July 23, 2023
Cannot Query event.original Elasticsearch beats-module	1	700	January 16, 2020
Add new additional field from IIS log Beats filebeat	3	339	June 1, 2020

Extract message to additional fields

Related topics