Hi. I am trying to use Humio to collect logs from my Sophos UTM 9 firewall. This works well except I have a wrinkle when looking at authentication failures. I can easily see authentication failures, as they are logged, however the reason for the failure…

I have recently installed the newest version of ELK stack 6.0.x and I receive this errors in logstash-plain.log: `[2017-11-30T11:27:11,235][WARN`` ][logstash.codecs.netflow ] Can't (yet) decode flowset id 260 from observation domain id 1, because no…

For now Sohpos UTM syslog splits long log messages. Is there a way to configure syslog do not split long log messages? I'm shipping Sophos logs to my logstash server, which sends them to Elastic. I'll prefer to not deal with multi-line messages parsing…

From /etc/logstash/conf.d/central.conf: input { type => "ipfix" } tcp { port => 4739 codec => netflow { versions => [10] target => ipfix } type => "ipfix" } } # end of input output { if [type] == "ipfix" { elasticsearch { index => "ipfix_logs-%{+YYYY…

Posting this here if anyone wants to point their UTM logs to a remote logstash/elasticsearch instance. This is a working sample logstash.conf file. I pointed my remote logging to my logstash server on port 5140. This works for all of the UTM log types…