[UNSUPPORTED] Extract fields from syslog messages

Andrrrey · November 8, 2016, 8:27pm

There was similar question about JSON messages before...
Setup:

txt file--------> filebeat---------->elasticsearch

File has syslog formatted and not formatted messages from different devices (sometimes format differs a lot )

Questions:

Is it possible to extract additional fields from the "message" field, when message is clear "syslog"?

Is it possible to introduce an additional fields based on conditions (regexp) of having some information in the message?

Documentation on the "processors" is very vague, tried it , no luck.
Any information would be appreciated.

ruflin · November 9, 2016, 10:44am

Filebeat currently does not extract any fields from the log messages. It can process json in case your messages are in JSON format. Otherwise please use grok in Logstash or elasticsearch ingest.

Andrrrey · November 9, 2016, 3:34pm

Ruflin, thanks for reply.

So the answer on my first question is "Not supported"

What about my second questions?

I would like to analyse message with regular expression and introduce a new filed based on result. I assume it is what processors are for. Can you provide an example?

ruflin · November 10, 2016, 9:26am

2 is currently also not possible. The main target of processors in filebeat is to filter out lines which should not be shipped. There are some ideas how we could extend this in the future.

At the moment I strongly recommend to do the above in Logstash.

Andrrrey · November 10, 2016, 2:43pm

OK . I got it.
Thanks for the information

system · December 8, 2016, 2:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.