Hi all,
I have a situation where the infrastructure guys have implemented ELK as a central log collection for all Linux devices and have started forwarding the logs to the ESM from there. Now the challenge comes when adding the ELK data sources. it doesn't matter which syslog relay option i take, the ESM
takes the headers from the ELK instead of ignoring the ELK inserted headers and reading the logs from the actual log source.
is there a solution to this
Solved! Go to Solution.
Hi, Great Question!
in flash mode (configurations)
click on the ELK Data Source
open the policy
open Advanced Syslog Parser
try clicking on the parsing rule
choose modify
in the Parsing tab uncheck the "Include Syslog Header in Regular Expresion match"
that should do it!
(copy the same for all parsing rules)
to be sure its solving the problem:
insert in the "Sample log data" section
a copy of 1 of your logs, and see if it's parsing it good.
dont forget after that to "rollout" the policy 🙂
Best Regards👍👍👍
David
Hi, Great Question!
in flash mode (configurations)
click on the ELK Data Source
open the policy
open Advanced Syslog Parser
try clicking on the parsing rule
choose modify
in the Parsing tab uncheck the "Include Syslog Header in Regular Expresion match"
that should do it!
(copy the same for all parsing rules)
to be sure its solving the problem:
insert in the "Sample log data" section
a copy of 1 of your logs, and see if it's parsing it good.
dont forget after that to "rollout" the policy 🙂
Best Regards👍👍👍
David
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA