hi all,
we have a fortieweb 2000 s device and we want to send its log to elaticearch.
in the first step, we wrote a logstash config file which is listening on udp with type "json", meanwhile the fortiweb log type is configured on json format. logstash config is as foolowing:
input {
udp {
port => 12345
type => "json"
}
}
filter {
dissect {
mapping => {
"message" => "<%{}>%{message}"
}
}
json {
source => "message"
}
}
output {
elasticsearch {
hosts => ["https://localhost:9200"]
ssl_enabled => true
ssl_certificate_authorities => "...\elasticsearch-ca.pem"
ssl_verification_mode => none
user => "***"
password => "****"
index => "log_%{+yyyy.MM.dd}"
}
stdout {
codec => rubydebug
}
}
when we run logstash , it gathered the logs perfectly and the json filter can parse all key-values, but after a while it seems the input is not json anymore and it seems it has been damaged. so the json filter cannot parse it, how can i handle this issue.
what is best way to parse fortiweb syslog?
any advice will be so appreciated