Showing results for 
Show  only  | Search instead for 
Did you mean: 

Logs from ELK

Hi all, 

I have a situation where the infrastructure guys have implemented ELK as a central log collection for all Linux devices and have started forwarding the logs to the ESM from there. Now the challenge comes when adding the ELK data sources. it doesn't matter which syslog relay option i take, the ESM

takes the headers from the ELK instead of ignoring the ELK inserted headers and reading the logs from the actual log source. 

is there a solution to this 

1 Reply
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Logs from ELK

Hi, Great Question!

in flash mode (configurations)

click on the ELK Data Source
open the policy
open Advanced Syslog Parser
try clicking on the parsing rule 
choose modify
in the Parsing tab uncheck the "Include Syslog Header in Regular Expresion match"

that should do it!
(copy the same for all parsing rules)

to be sure its solving the problem:
insert in the "Sample log data" section
a copy of 1 of your logs, and see if it's parsing it good.

dont forget after that to "rollout" the policy 🙂


Best Regards👍👍👍


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community