Can't get app_process_metadata to work in Filebeat

I use two add_process_metadata directives in my metric beat config to get the parent process info and extra details on the specific process. Now I'm trying to add extra process information to syslog messages pulled in via filebeat.

- add_process_metadata:
    match_pids: [system.syslog.pid]
    target: system.process.details

This doesn't ever seem to execute on syslog entries though - entries that do have a system.syslog.pid don't get any additional fields added, unlike how it works in metricbeat.

One thing I noticed was that compared to all other pid fields, the system.syslog.pid gets indexed as text instead of number.

I tried changing that by deleting the indexes and adding

setup.template.enabled: true
setup.template.fields: "${path.config}/fields.yml"
setup.template.overwrite: true
setup.template.append_fields:
  - name: system.syslog.pid
    type: long

to my config but that just throws warnings that 'append fields contains field that is already in use' since syslog.pid gets defined in the fields.yml. I tried making it a 'long' in fields.yml and that didn't work either.

Are you using the system/syslog module?
If yes, the problem is that the field system.syslog.pid is only added by Elasticsearch. When Filebeat encounters syslog events, none of them has that field. Thus, process metadata is never added.
If not, could you please share your whole config formatted using </>?

Yea, I've switched to using the modules for metric & filebeats with these latest release instead of making the base metricbeat.yml/filebeat.yml huge.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.