Filebeat syslog input to filebeat system


I have some servers running filebeat and I really like the system module, especially the ssh/auth parts of it.

if I have a filebeat syslog UDP reciever running and send syslog event's to it, I would like them to be parsed in the same manner. I tried sending the filebeat udp syslogs into the 'filebeat-7.4.0-system-auth-pipeline' but the structure of the data isn't the same

Does anyone have a good method of using the UDP syslog input and the system module parsing ?

Welcome! Can you give an example of the different structures you're seeing (and maybe the beat configuration that generated them)? I would expect tcp and udb to give similar results as long as they're both using the same syslog version (the syslog input supports rfc3164 but not yet rfc5424).

Hello, it is not that the syslog messages themselves look different it's just that the udp syslog messages don't get processed with the "system" pipeline like the local ones

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.