Beats_input_raw_event

Yuval_Algresi · December 4, 2023, 3:30pm

Hello,
I use winlogbeat to ship event viewer logs to my elastic stack.
It first goes to logstash and from there to elastic - I use beats input plugin.
Usually there is an event.original field that contains the raw event data (like it is in event viewer)
I sometimes use that field to create new fields.
But I noticed that some events have missing event.original field - and that those events always have this tag: beats_input_raw_event
The logs go through the same pipeline - some have the field and not the tag and some the oposite
Does someone know what does this mean and how can I fix it?

Badger · December 4, 2023, 5:08pm

Looking at the code here, that tag gets added if no codec is called to decode the event. That appears to happen if there is no [message]/[line] field in the event. I don't think you can fix it in logstash.

Yuval_Algresi · December 10, 2023, 10:15am

Do you have any idea why this happens to some logs but not to all?
The logs go through the same process
Event viewer -> winlogbet -> logstash -> elastic
They come frim the same server and go through the same pipeline in logstash
And yet they don't look the same as some have this problem and some don't
This makes using the message field to create new fields impossible

Badger · December 10, 2023, 10:28pm

Like I said, it will happen to events that do not have a [message] field.

system · January 7, 2024, 10:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.