Filebeat Cisco module Nexus fileset dissect_parsing_error flag

obol89 · August 10, 2023, 10:27am

I'm trying to use Filebeat with Cisco module and Nexus fileset, but it seems like these logs aren't parsed properly.
In every document I see - dissect_parsing_error in log.flags.
It looks like that:

filebeat version

filebeat version 8.4.3 (amd64), libbeat 8.4.3 [c2f2aba479653563dbaabefe0f86f5579708ec94 built 2022-09-27 15:24:56 +0000 UTC]

cisco.yml module config:

nexus:
    enabled: true

    # Set which input to use between udp (default), tcp or file.
    var.input: udp
    var.syslog_host: 0.0.0.0
    var.syslog_port: 514

Cisco Nexus config:

I would say, it is very similar or the same issue as on closed topic here - Filebeat Cisco Module Nexus dissect_parsing_error

jamie.hynds · August 15, 2023, 10:01am

Hi @obol89 - we recently released an updated integration for Nexus events via Elastic Agent, which will likely resolve the parsing errors you're running into. It also includes improved ECS mappings and several dashboards. Are you in a position to use the Elastic Agent integration rather than the Filebeat module?

obol89 · August 15, 2023, 1:45pm

Hi @jamie.hynds,

Thank you for your reply.

Is there any chance these changes will be included in Filebeat Cisco module?

I prefer to use Filebeat, rather than Elastic Agent. We were doing tests with Elastic Agent, and it takes much more resources than Filebeat.

system · September 12, 2023, 3:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.