Hi all,
I just started the logging of the syslog data sent by my cisco IOS switches into elastic (with filebeat 7.17.0 and Elasticsearch 7.17.0).
I setup a filebeat with "usual config" like:
ios:
enabled: true
var.syslog_host: xx.xx.xx.xx
var.syslog_port: 9002
and ... I was surprised that no rsa.* fields were created by filebeat from the logs sent.
In Fact, I have "basic" fields, but no rsa.* at all, the only field in which I get the device ip is "log.source.address", but it contains the ip with the source port ... (xx.xx.xx.xx:yyyyy) which is ... not really convinient ...
I tried to add "vars.keep_raw_fields: true" inside the ios section ... but it didn't change the output ...
If someone as an idea on why the documented rsa.* field do not appear, it would help me a lot ^^'
Thanks all,
Cheers,
--