[UNSUPPORTED] Extract fields from syslog messages

Elastic Stack Beats
1

There was similar question about JSON messages before...
Setup:

txt file--------> filebeat---------->elasticsearch

File has syslog formatted and not formatted messages from different devices (sometimes format differs a lot )

Questions:

Is it possible to extract additional fields from the "message" field, when message is clear "syslog"?

Is it possible to introduce an additional fields based on conditions (regexp) of having some information in the message?

Documentation on the "processors" is very vague, tried it , no luck.
Any information would be appreciated.

2

Filebeat currently does not extract any fields from the log messages. It can process json in case your messages are in JSON format. Otherwise please use grok in Logstash or elasticsearch ingest.

3

Ruflin, thanks for reply.

So the answer on my first question is "Not supported"

What about my second questions?

I would like to analyse message with regular expression and introduce a new filed based on result. I assume it is what processors are for. Can you provide an example?

4

2 is currently also not possible. The main target of processors in filebeat is to filter out lines which should not be shipped. There are some ideas how we could extend this in the future.

At the moment I strongly recommend to do the above in Logstash.

5

OK . I got it.
Thanks for the information

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.