Filebeat Cisco Module and IOS fields not showing up as documented

Hi all,

I just started the logging of the syslog data sent by my cisco IOS switches into elastic (with filebeat 7.17.0 and Elasticsearch 7.17.0).
I setup a filebeat with "usual config" like:

    enabled: true
    var.syslog_host: xx.xx.xx.xx
    var.syslog_port:  9002

and ... I was surprised that no rsa.* fields were created by filebeat from the logs sent.
In Fact, I have "basic" fields, but no rsa.* at all, the only field in which I get the device ip is "log.source.address", but it contains the ip with the source port ... (xx.xx.xx.xx:yyyyy) which is ... not really convinient ...
I tried to add "vars.keep_raw_fields: true" inside the ios section ... but it didn't change the output ...

If someone as an idea on why the documented rsa.* field do not appear, it would help me a lot ^^'

Thanks all,


Hi all,

No one that has experienced filebeat cisco module ? ^^"
Thanks a lot,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.