For now Sohpos UTM syslog splits long log messages. Is there a way to configure syslog do not split long log messages? I'm shipping Sophos logs to my logstash server, which sends them to Elastic. I'll prefer to not deal with multi-line messages parsing…

From /etc/logstash/conf.d/central.conf: input { type => "ipfix" } tcp { port => 4739 codec => netflow { versions => [10] target => ipfix } type => "ipfix" } } # end of input output { if [type] == "ipfix" { elasticsearch { index => "ipfix_logs-%{+YYYY…

Posting this here if anyone wants to point their UTM logs to a remote logstash/elasticsearch instance. This is a working sample logstash.conf file. I pointed my remote logging to my logstash server on port 5140. This works for all of the UTM log types…