Hello!,
I am receiving the following error when ingesting syslog messages with Filebeat (7.9.3):
"error": {
"message": "GoError: could not find delimiter: `` in remaining: `<160>Aug 20 16:48:25 10.244.127.139 02798 chassis: AM1: Internal power supply 4 main PoE power OK. Total fault count: 243592`, (offset: 0)"
},
"message": "<160>Aug 20 16:48:25 10.244.127.139 02798 chassis: AM1: Internal power supply 4 main PoE power OK. Total fault count: 243592",
"fileset": {
"name": "ios"
},
"tags": [
"cisco-ios",
"forwarded",
"_js_exception"
],
"input": {
"type": "log"
},
"@timestamp": "2021-08-20T21:48:21.027Z",
"ecs": {
"version": "1.5.0"
},
"service": {
"type": "cisco"
},
"event": {
"timezone": "-05:00",
"module": "cisco",
"dataset": "cisco.ios"
}
}
I am sure the problem is something with the tokenizer trying to deal with the original message which is this message:
"log": {
"file": {
"path": "/var/log/network/cisco-ios"
},
"original": "Aug 20 16:48:20 10.10.10.10 <160>Aug 20 16:48:25 10.10.10.11 02798 chassis: AM1: Internal power supply 4 main PoE power OK. Total fault count: 243592",
"offset": 2526477184,
"flags": [
"dissect_parsing_error"
],
"source": {
"address": "10.10.10.10"
}
}
My thought is something with the additional ':'s in the message, but I would think the %{_message} would be a catchall for the remainder of the message.
As of right now, the Cisco IOS pipeline.js has not been modified. The tokenizer is the default "tokenizer": "%{}%%{cisco.ios.facility}-%{_event_severity}-%{event.code}: %{_message}"