I have filebeat installed on a Centos vm to collect local logs via flat file and also receive syslog on Port 9000 from a remote Centos Machine.
I am collecting logs from computers but I have noticed that the Filebeat ECS dashboards only gets populated using the local logs and not the syslog from the remote machine. A comparison of the logs when looking at the Sudo Commands dashboard shows that the syslog does system.auth.sudo.command, this is being entered into the message fields.
I am using rsyslog and this is how rsyslog file is configured
Is there anything I need to do to make the syslog files get formatted in the same way that the local logs are being formatted?