OK now we are getting there...
So no... because we just used the common filestream it does not know it is syslog etc so it does not know how to parse......
We did this to minimize variables because of the issues...
Now we will use the system module now to properly parse...
So now we will fix that...
- Disable the filestream in filebeat.yml
- type: filestream
# Unique ID among all inputs, an ID is required.
id: my-filestream-id
# Change to true to enable this input configuration.
enabled: false <<<< HERE
Then let's clean up...
-
In Kibana Stack Management -> Data Stream
Delete thefilebeat-8.15.1datastream -
Clean up the Filebeat registry so it will re-read the files, to do this, delete the contents of the
datadirectory where you installed filebeat -
Enable system module
PS > .\filebeat.exe modules enable system
- edit
modules.d/system.ymlnot sure if those aresystemorauditlogs... edit the correct one, I assume you know which they are... Put in the single quotes
- module: system
# Syslog
syslog:
enabled: true <<< HERE
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ['D:\01-evidence\ABZ3542\logs\*']
- run setup
PS > .\filebeat.exe setup -e
- run filebeat
PS > .\filebeat.exe -e
In the end... this is basically the quickstart...
Go look at your data