Send full syslog unparsed message


I am using filebeat to collect syslogs from a cisco firepower IPS straight to logstash. Filebeat is able to parse the time, the issue is that firepower sends the time in RFC3164 in UTC. Filebeat is parsing the syslog timestamp but removing another hour, as such my logs are an hour behind UTC.

Is it possible to access the original unparsed message in logstash so that i can get the SYSLOGTIMESTAMP?

I have been trying to use the below in logstash to no avail.

date {
match => ["timestamp", "MMM dd HH:mm:ss", "ISO8601"]
timezone => "UTC"

Looking at the pipelines in filebeat for elasticsearch it looks as though it expects the full syslog message.

Any pointers?


If you want to do all parsing and processing, then you might want to use the tcp and/or udp inputs directly. Internally the syslog input just reuses those two inputs, but adds parsing on top.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.