Dovan
July 28, 2021, 2:47pm
1
hello, I'm new to ELK and I'm trying to use logstash to consume logs from a syslog server I have, how do I extract the messages that arrive inside the message field?
"<133>Jul 28 09:59:11 10.128.xx.xxx CEF:0|Trend Micro|Apex Central|2019|8001xx|Pattern Update Status|3|rt=Jul 28 2021 12:57:52 GMT+00:00|shost=NREXXXXXXXX|cs1Label=Operating_System|cs1=Windows 10 |cs2Label=Product/Endpoint_IP|cs2=xxx.11.0.xx|cs3Label=Update_Agent|cs3=0|cs4Label=Domain|cs4=Agentes desatualizados|cn1Label=Connection_Status|cn1=100|cn2Label=Pattern/Rule|cn2=12xxxxxxx|cs5LabelPattern/Rule_Version|cs516.xxx.xx|cn3Label=Pattern/Rule_Status|cn3=1|cs6LabelAUComponent_Type|cs62|deviceFacility=Apex One msg=Smart Scan Agent Pattern deviceNtDomain=REDExxxx dntdom=Agentes desatualizados\\\\ "
Any help will be welcome!
leandrojmp
July 28, 2021, 3:24pm
2
You mean parse the message and create fields?
What is your input? Your message is in the CEF format, you could use the cef codec to parse it.
For example, if your input is udp you would have something like this:
input {
udp {
port => port-number
codec => cef
}
}
Dovan
July 28, 2021, 5:46pm
3
hi @leandrojmp ! thanks for the help, and yes, i mean parse the message and create fields.
input {
tcp {
port => 6803
type => syslog
}
}
leandrojmp
July 28, 2021, 8:15pm
4
Just try to use the cef codec as the example.
input {
tcp {
port => 6803
codec => cef
type => syslog
}
}
1 Like
Dovan
July 28, 2021, 8:18pm
5
Valeu @leandrojmp ! funcionou, obrigado pela ajuda
system
August 25, 2021, 8:19pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.