I using Filebeat 7.4 and using the decode_cef processors.
And I getting error "malformed value for eventAnnotationAuditTrail at pos 2165"
After checking the raw source, the position 2165 is the "\n"
eventAnnotationModificationTime=1570414373145 eventAnnotationAuditTrail=1,1565146359654,root,Queued,,,,\n eventAnnotationVersion=1
Here is my filebeat.yml configuration
filebeat.inputs:
- type: tcp
line_delimiter: "\r\n"
host: "0.0.0.0:9001"
processors:
- rename:
fields:
- {from: "message", to: "event.original"}
- decode_cef:
field: event.original
ecs: false
output.logstash:
hosts: ["localhost:5155"]
loadbalance: false
index: filebeat
Any idea to fix this?
Thank you.