Customize syslog Filebeat config #12691

theflakes · 2024-03-29T13:28:24Z

theflakes
Mar 29, 2024

Hello, and sorry if I missed this in the documentation.

I'm running SO in a virt lab env for students. Presently using latest 2.3 version. I'm sending syslogs to a standalone SO server for each student env. I have one field in that syslog that is Json that I want Filebeat to parse as Json into the default SO Elastic index. Is there a way to customize the syslog Filebeat parsing?

Thanks for any time and help.

samanosuke26 · 2024-04-04T16:52:45Z

samanosuke26
Apr 4, 2024

You could try changing the filebeat input by adding this:

filebeat.inputs:

type: %yourtype%
paths:
- input.json
  json.keys_under_root: true

processors:

decode_json_fields:
fields: ["%yourfield%"]

#Copy the yaml over to local to make your changes
cp /opt/so/saltstack/default/salt/filebeat/etc/filebeat.yaml /opt/so/saltstack/local/salt/filebeat/etc/filebeat.yaml

#vim the filebeat.yaml and scroll down to your syslog inputs
vim /opt/so/saltstack/local/salt/filebeat/etc/filebeat.yaml

#Add the stuff above and restart filebeat. so-filebeat.restart

This was found here:
https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Customize syslog Filebeat config #12691

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Customize syslog Filebeat config #12691

Uh oh!

Uh oh!

theflakes Mar 29, 2024

Replies: 1 comment

Uh oh!

samanosuke26 Apr 4, 2024

theflakes
Mar 29, 2024

samanosuke26
Apr 4, 2024