Filebeat 7.4, decode_cef getting error malformed value

cling1988 · October 7, 2019, 3:11am

I using Filebeat 7.4 and using the decode_cef processors.
And I getting error "malformed value for eventAnnotationAuditTrail at pos 2165"
After checking the raw source, the position 2165 is the "\n"

eventAnnotationModificationTime=1570414373145 eventAnnotationAuditTrail=1,1565146359654,root,Queued,,,,\n eventAnnotationVersion=1

Here is my filebeat.yml configuration

filebeat.inputs:
- type: tcp
  line_delimiter: "\r\n"
  host: "0.0.0.0:9001"

processors:
- rename:
    fields:
      - {from: "message", to: "event.original"}
- decode_cef:
    field: event.original
    ecs: false

output.logstash:
  hosts: ["localhost:5155"]
  loadbalance: false
  index: filebeat

Any idea to fix this?

Thank you.

system · November 4, 2019, 3:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Beats filebeat	2	363	November 12, 2020
Filebeat decode_json_fields Can not index event Beats filebeat	3	2475	May 30, 2017
Filebeat CEF Checkpoint errors Beats beats-module , filebeat	6	1009	August 5, 2021
Filebeat module cef syslog parse errors Beats beats-module , filebeat	13	2058	April 15, 2020
Unable to parse Timestamp on CEF LOGS Beats filebeat	2	756	December 7, 2021

Filebeat 7.4, decode_cef getting error malformed value

Related topics