Hey guys my journalctl keeps filled with errors. Filebeat Fortinet module - can't parse event as syslog rfc3164. What I can do to fix it?
I'm using Ubuntu 20.04.
Filebeat version filebeat:amd64/stable 7.16.1 upgradeable to 7.16.3
Sample error log
Feb 01 08:59:42 elk-ls01.xx.xx.xx filebeat[946]: 2022-02-01T08:59:42.559+0200 ERROR [syslog] syslog/input.go:285 can't parse event as syslog rfc3164 {"message": "<14>1 2022-02-01T08:59:42-00:00 firewall dns name- - - - 1,2022/02/01 08:59:41,012001031976,TRAFFIC,end,2049,2022/02/01 08:59:41,91.220.59.66,13.107.160.201,0.0.0.0,0.0.0.0,DMZ DNS servers to External DNS queries,,,dns,vsys1,DMZ,External,ae1.91,ae1.90,ELK_forwarding,2022/02/01 08:59:41,123428,1,55388,53,0,0,0x19,udp,allow,220,102,118,2,2022/02/01 08:59:11,1,any,0,712654729,0x0,Poland,United States,0,1,1,aged-out,0,0,0,0,,firewallhostname,from-policy,,,0,,0,,N/A,0,0,0,0\n"}
I just use filebeat to get logs for fortigate firewalls and transport those logs into logstash. Default configuration is barely minimum just to send logs into logstash.
Let me know if any further information would be needed.