Logstash, filebeat, syslog rfc5424 not working


I have ELK 7.5.0 setup on one node with a few other systems running auditbeat and filebeat. I have SSL setup for communication between the beat and logstash. I have filebeat specified to look at /var/log/messages. Only the Time, "host.hostname" and message columns are populated in the [Filebeat System} ECS dashboard. The "message" column is populated with the full message as it is in syslog. I don't know what did I miss.

All syslog from clients are set to RFC5242 (syslog uses $ActionFileDefaultTemplate RSYSLOG_FileFormat)

I tried, the followings, but I can't seem to get the process name working. I think because of this, I don't get any data populated for Sudo and SSH logins also.

if [event.dataset] == "system.syslog"
if [type] == "syslog"

logstash/conf.d/logstash.conf is set as below.

input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["/etc/logstash/ssl/ca.crt"]
ssl_certificate => "/etc/logstash/ssl/xxxxxx.crt"
ssl_key => "/etc/logstash/ssl/xxxxxx.key"
ssl_verify_mode => "peer"
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}"}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.