I have a situation where the infrastructure guys have implemented ELK as a central log collection for all Linux devices and have started forwarding the logs to the ESM from there. Now the challenge comes when adding the ELK data sources. it doesn't matter which syslog relay option i take, the ESM
takes the headers from the ELK instead of ignoring the ELK inserted headers and reading the logs from the actual log source.
click on the ELK Data Source open the policy open Advanced Syslog Parser try clicking on the parsing rule choose modify in the Parsing tab uncheck the "Include Syslog Header in Regular Expresion match"
that should do it! (copy the same for all parsing rules)
to be sure its solving the problem: insert in the "Sample log data" section a copy of 1 of your logs, and see if it's parsing it good.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.