How can I split up my message log lines in separate tabs/fields?

Hello All,

Yesterday, I set up ELK so I can send my routers syslogs to make it easier to view. I've completed this by installing a ubuntu server with rsyslogd, ELK and beats from a few online how to's. Next I sent the logs from my router to the syslog which sends them to the log tab of kibana UI.

When looking at the logs or I guess they call it a messages (note, very new to this) my logs display however, I would like to know how I can tab break them down so the message can have separate search tabs/fields.

How can I separate the message into various fields? Once that is done, how can I have those fields removed from the message so the message only shows the log?

image1864×852 183 KB

nano /etc/rsyslog.conf
    module(load="imudp")
    input(type="imudp" port="514")
    $template RemoteLogs,"/var/log/RemoteServerLogs/%HOSTNAME%/%PROGRAMNAME%.log"
    *.* ?RemoteLogs
    & ~

sudo nano /etc/filebeat/filebeat.yml
    - type: log
      enabled: true
    - /var/log/*.log
    - /var/log/RemoteServerLogs/unifi.localdomain/*.log
    - /var/log/RemoteServerLogs/basementap.localdomain/*.log
    - /var/log/RemoteServerLogs/mainfloorap.localdomain/*.log
    - /var/log/RemoteServerLogs/upstairsap.localdomain/*.log

Few logline examples

     Jun 17 16:45:53 unifi.localdomain Router,469e6128e8d2,udm-1.7.2.2620 dropbear[1721]: Child connection from 127.0.0.1:44996
    Jun 17 16:46:00 unifi.localdomain Router,469e6128e8d2,udm-1.7.2.2620 dropbear[1827]: Exit (root): Disconnect received
    Jun 17 16:46:00 unifi.localdomain Router,469e6128e8d2,udm-1.7.2.2620 dropbear[1827]: Child connection from 127.0.0.1:45003
    Jun 17 13:13:53 unifi.localdomain Router,469e6128e8d2,udm-1.7.2.2620 kernel: [42194.788704] IN=br0 OUT=eth8 MAC=e2:63:00:00:00:33:50:eb:00:00:00:00:08:00 SRC=10.0.0.188 DST=209.xxx.xx.2x3 LEN=105 TOS=0x00 PREC=0x00 TTL=127 ID=31177 PROTO=UDP SPT=61006 DPT=56338 LEN=85 
    Jun 17 13:13:53 unifi.localdomain Router,469e6128e8d2,udm-1.7.2.2620 kernel: [42194.798058] IN=br0 OUT=eth8 MAC=e2:63:00:00:00:33:50:eb:00:00:00:00:08:00 SRC=10.0.0.188 DST=209.xxx.xx.2x3 LEN=141 TOS=0x00 PREC=0x00 TTL=127 ID=31178 PROTO=UDP SPT=61006 DPT=56338 LEN=121 

Hi @Roger_Payne Welcome to the Elastic Discuss forum!

I'm not sure if you are using any of our modules. In any case there are 2 ways to achieve this if none of the modules does the trick for you:

• Defining some processors https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html Simple and easy, but limited.
• Creating an Ingest PIpeline in Elasticsearch https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html more powerful but slightly more complex. The you configure the pipeline in Filebeat like described here https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html#pipeline-option-es

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.