Hello,
I am fairly new to elastic stack. I have the stack up and running, and the syslogs from my host server show up in Kibana. I've configured the syslogs from my Aerohive wireless access points to point to filebeat as well. The syslog entries get to the server, however filebeat isn't recognizing them as being properly formatted:
ug 19 15:57:12 ubuntu-test filebeat[30072]: 2019-08-19T15:57:12.659Z#011ERROR#011[syslog]#011syslog/input.go:132#011can't parse event as syslog rfc3164#011{"message": "<180>mDNSResponder: application: MDNS(!) RawSocket(17): recvmsg err, cann't get vlan_tci.\n"}
Since the messages aren't processed, they're not showing up in Kibana. Any thoughts on how to resolve this?
The problem is that the logs are formatted according to RFC 5424 (a newer standard) rather than RFC 3164 (which the input expects). Unfortunately filebeat doesn't yet support RFC 5424, although you're welcome to chime in on the feature request which will help increase its priority. As a workaround in the meantime, if you can configure the syslog entries to use RFC 3164 instead that will let the rest of the stack understand them.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.