I've just gotten my first Filebeats agent running and sending data into Elasticsearch, though I'm not sure why the messages are so long. I'm guessing everything after this @timestamp field is something from Beats or Elasticsearch? Not sure how to prune that out of the messages when viewing them or if I need to prune something from the Filebeats configuration.
Log message looks like so:
Apr 17 16:28:17 sfos-xg.ducknet.org device="SFW" date=2021-04-17 time=16:28:17 timezone="EDT" device_name="SFVH" device_id=C01001DJD7TDY26 log_id=063711517815 log_type="Event" log_component="DDNS" log_subtype="System" status="Success" priority=Notice host=xyz.ducknet.org updatedip=my_ip_address reason="N/A" message="DDNS update for host xyz.ducknet.org was Successful. Updated with IP my_ip_address."
When I see the message in Kibana it looks like:
Beats is configured as such:
/etc/filebeat/filebeat.yml
setup.kibana:
# Kibana Host
host: "kibana.ducknet.org:5601"
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["kibana.ducknet.org:9200"]
/etc/filebeat/modules.d/sophos.yml
- module: sophos
xg:
enabled: true
# known firewalls
var.known_devices:
- serial_number: "C01001DJD7TDY26"
hostname: "sfos-xg.ducknet.org"
var.paths: /var/log/sfos-xg.ducknet.org/forwarded-logs.log
Edit:
Looks like possibly what I want is just the contents of this message field.
