Parsing for syslog in Filebeat

I have filebeat installed on a Centos vm to collect local logs via flat file and also receive syslog on Port 9000 from a remote Centos Machine.

I am collecting logs from computers but I have noticed that the Filebeat ECS dashboards only gets populated using the local logs and not the syslog from the remote machine. A comparison of the logs when looking at the Sudo Commands dashboard shows that the syslog does system.auth.sudo.command, this is being entered into the message fields.

I am using rsyslog and this is how rsyslog file is configured
*.* @@

Is there anything I need to do to make the syslog files get formatted in the same way that the local logs are being formatted?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.