cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rmatloa
Level 9
Report Inappropriate Content
Message 1 of 2
‎05-19-2020 12:01 AM

Logs from ELK

Jump to solution

Hi all, 

I have a situation where the infrastructure guys have implemented ELK as a central log collection for all Linux devices and have started forwarding the logs to the ESM from there. Now the challenge comes when adding the ELK data sources. it doesn't matter which syslog relay option i take, the ESM

takes the headers from the ELK instead of ignoring the ELK inserted headers and reading the logs from the actual log source. 

is there a solution to this 

0 Kudos
Reply
1 Solution

Accepted Solutions
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2
‎05-19-2020 05:19 AM

Re: Logs from ELK

Jump to solution

Hi, Great Question!

in flash mode (configurations)

click on the ELK Data Source
open the policy
open Advanced Syslog Parser
try clicking on the parsing rule 
choose modify
in the Parsing tab uncheck the "Include Syslog Header in Regular Expresion match"

that should do it!
(copy the same for all parsing rules)

to be sure its solving the problem:
insert in the "Sample log data" section
a copy of 1 of your logs, and see if it's parsing it good.

dont forget after that to "rollout" the policy 🙂

 

Best Regards👍👍👍

David

View solution in original post

0 Kudos
Reply
1 Reply
David1111
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2
‎05-19-2020 05:19 AM

Re: Logs from ELK

Jump to solution

Hi, Great Question!

in flash mode (configurations)

click on the ELK Data Source
open the policy
open Advanced Syslog Parser
try clicking on the parsing rule 
choose modify
in the Parsing tab uncheck the "Include Syslog Header in Regular Expresion match"

that should do it!
(copy the same for all parsing rules)

to be sure its solving the problem:
insert in the "Sample log data" section
a copy of 1 of your logs, and see if it's parsing it good.

dont forget after that to "rollout" the policy 🙂

 

Best Regards👍👍👍

David

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC