FILEBEAT: hostname inside message not parsed

Sederfo · November 10, 2021, 7:44am

We are using Filebeat for processing Syslog messages sent from switches. We know that the raw Syslog messages contain the hostname of the device (we tested it with RSyslog).

The problem is that Filebeat does not read the hostname field, only the IP Address. We are using the Cisco IOS module in Filebeat. Is it possible to add/enable this missing field? And why is Filebeat not parsing this field?

Could we maybe use another module that actually parses the hostname inside the messages? Or is this possible in Cisco IOS module?

mtojek · November 10, 2021, 1:38pm

Would you mind sharing some raw data so we can take a look?

All supported fields have described here: Cisco module | Filebeat Reference [7.15] | Elastic

It might be the case for an improvement request.

Sederfo · November 17, 2021, 3:50pm

Hi, sorry for responding late, I was on PTO.

This is a raw message.

Nov 17 15:32:00 forwarder.com filebeat[3735106]: 2021-11-17T15:32:00.622Z ERROR [syslog] syslog/input.go:285 can't parse event as syslog rfc3164 {"message": "<189>481229: switch-1: Nov 17 17:31:58: %ILPOWER-5-POWER_GRANTED: Interface Gi4/0/5: Power granted (switch-1)"}

Hostname is switch-1

system · December 15, 2021, 5:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Cisco AMP Module and host.name Error Beats filebeat	22	970	April 27, 2021
Issues with Filebeat and Cisco ASA Parsing Beats filebeat	1	332	October 31, 2019
Filebeat syslog parse error Beats filebeat	10	5904	August 28, 2019
Wrong filebeat hostname in logs Beats filebeat	5	4152	September 26, 2019
Sending syslog to FileBeat from Cisco Asa Beats filebeat	4	2920	July 17, 2019

FILEBEAT: hostname inside message not parsed

Related topics