Logstash reading syslog from filebeat

Using RHEL8, ELK 7.12, I have filebeat 7.12 set up on a RH7 workstation, configured with the syslog plugin and delivering data to logstash.

The data is coming into logstash, but it's raw - the message field isn't being split up. I am presuming that one of the plugins will be designed with most of the main syslog patterns? Is that the purpose of the plugins?

Now I'm confused about what type of plugin to use for logstash - I know that the input is beats, so I presume I don't want the logstash-input-syslog. Maybe logstash-filter-syslog-pri?

Is this a sufficient filebeat-syslog.conf?

input {
  beats {
    port => "5044" 
  }
}
filter {
  syslog_pri {
  }
}

Or do I need to add an if check?

filter {
  if [type] == "syslog" {
    syslog_pri {
    }
  }
}

Ok, so the answer is no - logstash-filter-syslog_pri is only for SYSLOG priorities. Doesn't break down the actual message.

I need to use logstash-filter-grok? Yes, that seems to have worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.