I want to enrich logs by adding service information (Environment specifically). Add a service name to logs seems like what I want. But none of the options seem ideal.
- Ideally I would have an agent policy for (say) the web tier, then add the environment at the agent level. It seems I can’t do this with fleet and elastic agent. Our hosts are VMs. It looks like I might have been able to do something if we ran containers, but we don’t.
- Integrations are included in the agent policy, so I can’t add the field here without expanding the agent policies to (almost) one per host.
- I don’t think I am using filebeat, I am using filestream. But this still has the same issue in that it is part of an integration, so would expand the number of agents
- add fields processor - This has the same issue as above, unless we can set a variable at the agent level which we can’t seem to with fleet.
- The logs don’t have the environment name in them.
So it seems that my only options are to have one agent policy per tier per environment, which is basically one per host. Or to do something very clever with an ingest pipeline and map hostnames or filenames to environment names. I haven’t investigated this, but it seems somewhat complex and fragile.
But surely I am missing something. Doesn’t everyone have this problem and nobody would use observability if this was the case?
I have searched and found some people asking similar questions, but the solutions generally seem to involve not using fleet. Do I just need to create loads of agent policies?