FILEBEAT: hostname inside message not parsed

Elastic Stack Beats
1

We are using Filebeat for processing Syslog messages sent from switches. We know that the raw Syslog messages contain the hostname of the device (we tested it with RSyslog).

The problem is that Filebeat does not read the hostname field, only the IP Address. We are using the Cisco IOS module in Filebeat. Is it possible to add/enable this missing field? And why is Filebeat not parsing this field?

Could we maybe use another module that actually parses the hostname inside the messages? Or is this possible in Cisco IOS module?

2

Would you mind sharing some raw data so we can take a look?

All supported fields have described here: Cisco module | Filebeat Reference [7.15] | Elastic

It might be the case for an improvement request.

1 Like
3

Hi, sorry for responding late, I was on PTO.

This is a raw message.

Nov 17 15:32:00 forwarder.com filebeat[3735106]: 2021-11-17T15:32:00.622Z ERROR [syslog] syslog/input.go:285 can't parse event as syslog rfc3164 {"message": "<189>481229: switch-1: Nov 17 17:31:58: %ILPOWER-5-POWER_GRANTED: Interface Gi4/0/5: Power granted (switch-1)"}

Hostname is switch-1

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.