Help for space separate message

Patricio_Campos · December 12, 2019, 2:53pm

Hello,
am new in Elastic, am working with SIEM module. I receive a log from Fortinet Firewall through a Rsyslog Linux and filebeat receive and send to Elasticsearcg, all importants field come in one large field named Message. I would like separate this information for example src_ip, src_port, etc etc

date=2019-12-12 time=11:31:33 devname="Fwr1-Kaufmann" devid="FGT6HD3916801908" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1576161093 srcip=10.1.1.9 srcport=54091 srcintf="LACP_Interna" srcintfrole="undefined" dstip=208.67.222.222 dstport=53 dstintf="port10" dstintfrole="undefined" poluuid="0f497e7c-5f9a-51e8-2401-1473957296a8" sessionid=796002608 proto=17 action="accept" policyid=402 policytype="policy" service="DNS" dstcountry="United States" srccountry="Reserved" trandisp="snat" transip=190.216.145.133 transport=54091 duration=60 sentbyte=72 rcvdbyte=88 sentpkt=1 rcvdpkt=1 appcat="unscanned"

ChrsMark · December 13, 2019, 10:01am

Hi!

For this you will need to add a Logstash pipeline to further analyse the messages, by defining your own grok patterns.

Filebeat can analyse messages from services that are supported by Filebeat's modules, but when you need something so custom the best way to go is to add a Logstash node and do the parsing there.

Regards.

system · January 10, 2020, 10:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to seperate message field filebeat Logstash	6	388	December 12, 2020
Filebeats to Elasticsearch Beats	1	225	August 22, 2019
Concatenate message header and content, parse message content Beats filebeat	0	108	May 23, 2024
Logstash/Grok help Logstash	5	429	May 31, 2017
Getting Data from Syslog into Elasticsearch/Kibana Beats filebeat	1	407	May 15, 2021

Help for space separate message

Related topics