F5 and Radware integrations are deprecated. Let me explain, it is not normal that they have an intermediate parser in JS (without posibility of change fron integration), it is practically better to let the message through and parse it entirely with pipelines. Maintaining a JS that parses the syslog is absurd, you lose control of the data. In addition, the documentation does not mention anything at all about this fact, which is basically 80 percent of the module.
My proposal:
-
Create the pipeline with the standard syslog format like the rest of the modules.
-
Delete intermediary JS (it is impossible to modify from the fleet), in short it is anti-centralizable.
-
Do not keep such old integrations because this will alienate any possible interest in elasticsearch, since it is absolutely impossible if you are a newbie to understand what happens before the pipeline.
In this post I am not asking for help, since obviously we have refused to use these modules because they bring more problems than anything else, it is simply a suggestion so that people who try it for the first time do not think that it is useless.
These little things are what make you opt for one product or another.
Personally I would never put a module without having tested it:
- Standard.
- Adding fields.
- Above all and most importantly without compatibility with the operation of elastic agent.
In summary, these 2 integrations, instead of helping, harm.