Filebeat Cannot Parse Syslog File from Aerohive

jmorris · August 19, 2019, 3:59pm

Hello,
I am fairly new to elastic stack. I have the stack up and running, and the syslogs from my host server show up in Kibana. I've configured the syslogs from my Aerohive wireless access points to point to filebeat as well. The syslog entries get to the server, however filebeat isn't recognizing them as being properly formatted:

ug 19 15:57:12 ubuntu-test filebeat[30072]: 2019-08-19T15:57:12.659Z#011ERROR#011[syslog]#011syslog/input.go:132#011can't parse event as syslog rfc3164#011{"message": "<180>mDNSResponder: application: MDNS(!) RawSocket(17): recvmsg err, cann't get vlan_tci.\n"}

Since the messages aren't processed, they're not showing up in Kibana. Any thoughts on how to resolve this?

faec · August 20, 2019, 8:06pm

The problem is that the logs are formatted according to RFC 5424 (a newer standard) rather than RFC 3164 (which the input expects). Unfortunately filebeat doesn't yet support RFC 5424, although you're welcome to chime in on the feature request which will help increase its priority. As a workaround in the meantime, if you can configure the syslog entries to use RFC 3164 instead that will let the rest of the stack understand them.

jmorris · August 21, 2019, 11:30am

Thank you very much for your reply. I will see what I can do to
dumb down my syslogs!

Topic		Replies	Views
Filebeat CEF module can't parse event as syslog rfc3164 Beats filebeat	3	1789	April 30, 2020
Can't parse event as syslog rfc3164 Beats filebeat	2	4452	January 31, 2020
Can't parse event as syslog rfc3164 Beats filebeat	5	669	March 4, 2024
Filebeat syslog parse error Beats filebeat	10	6135	August 28, 2019
Filebeat Fortinet module - can't parse event as syslog rfc3164 Beats filebeat	2	771	April 12, 2022

Filebeat Cannot Parse Syslog File from Aerohive

Related topics