Hi,
many of the filebeat modules have a hint that they were converted from RSA NetWitness log parser XML. After some search and trying to understand how to get to the logformat required by the module I must say that all seems a bit like marketing fuzz. Let me explain with the example of f5 bigipapm.
The documentation states nothing about the actually required logformat nor about the supported releases from f5. Trying to find the magic behind "This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113." and looking at ./x-pack/filebeat/module/f5/bigipapm/test/generated.log I is very unclear how to setup the f5 e.g. with release 15.1 to actually meet the demand by the module.
All in all this is not a good user experience from what is surely intended by elastic.
How about adding the minimum needed sane information like:
supported releases: eg. 13.3-15.1
logformat: exact format or at least a link where to find what to configure
I think the way this is implemented does not meet the original ease of use intention or maybe I'm missing on sth. drastically? What's your experience?
Cheers,
Mischa