Filebeat+logstash syslog fields


New here and new to ELK. We have a 7.4.2 setup in DEV/UAT to evaluate ELK with beats. We are using Logstash to accept all beats traffic and put Nginx in front of Kibana.

For Filebeat, we get "No result found" for sudo and ssh. We do get logs in the "Syslog logs [Filebeat System] ECS" section, but there's no data in the column. We get the full message in the message column such as below but obvious the fields are not processed/filtered.

Any suggestions on what should we test/change?


2019-12-01T12:57:01.490432-05:00 dev02 cron[26807]: pam_unix(crond:session): session opened for user john by (uid=0)
2019-12-01T12:57:01.493409-05:00 sdev02 systemd[1]: Created slice User Slice of john.
2019-12-01T12:57:01.495883-05:00 dev02 systemd[1]: Started Session 2729 of user john.

For logstash, we are using example config from the doc.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.