Howto filter logs for Facility and Priority

Hi all,
I'm evaluating
filebeat version 7.4.2 with elasticsearch (same version)
and the system module.

How can I filter the the log messages for facility and priority fields?
Can I tweak/configure the filebeat system module to extract them?

I turned this fields on in rsyslog.conf with a simple filter like so:

$template TraditionalFormatWithPRI,"%pri-text%: %timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"

$ActionFileDefaultTemplate TraditionalFormatWithPRI

resulting in loglines lookinig like this:

daemon.info: Nov 26 20:15:02 myhost systemd[1]: Started Hostname Service.

but they are just cleanly filtered out when I look at the line in kibana.
I used to think it's quite helpful to have a filter at least for the priority!

Any way to achieve this with the system module?

TIA

I was able to extract the facility and priority fields from above mentioned logline by editing:

/usr/share/filebeat/module/system/syslog/ingest/pipeline.json

and than updating the actual pipline with:

curl -H 'Content-Type: application/json' -XPUT 'http://<elk_ip>:9200/_ingest/pipeline/filebeat-7.4.2-systemsystem' -d@pipeline.json

see here for more info:
https://www.elastic.co/guide/en/beats/filebeat/master/configuring-ingest-node.html
https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.