FILEBEAT: hostname inside message not parsed

Sederfo · November 10, 2021, 7:44am

We are using Filebeat for processing Syslog messages sent from switches. We know that the raw Syslog messages contain the hostname of the device (we tested it with RSyslog).

The problem is that Filebeat does not read the hostname field, only the IP Address. We are using the Cisco IOS module in Filebeat. Is it possible to add/enable this missing field? And why is Filebeat not parsing this field?

Could we maybe use another module that actually parses the hostname inside the messages? Or is this possible in Cisco IOS module?

mtojek · November 10, 2021, 1:38pm

Would you mind sharing some raw data so we can take a look?

All supported fields have described here: Cisco module | Filebeat Reference [7.15] | Elastic

It might be the case for an improvement request.

Sederfo · November 17, 2021, 3:50pm

Hi, sorry for responding late, I was on PTO.

This is a raw message.

Nov 17 15:32:00 forwarder.com filebeat[3735106]: 2021-11-17T15:32:00.622Z ERROR [syslog] syslog/input.go:285 can't parse event as syslog rfc3164 {"message": "<189>481229: switch-1: Nov 17 17:31:58: %ILPOWER-5-POWER_GRANTED: Interface Gi4/0/5: Power granted (switch-1)"}

Hostname is switch-1

system · December 15, 2021, 5:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.