Hi All,
I have configured filebeat to read IIS logs using the IIS module. In the same time, I want to drop unwanted fields to save the space of my ES server.
I have enabled the IIS module using below command.
.\filebeat.exe modules enable iis
when I check the event through Kibana, I can see following fields in the events though I never enabled those modules in my setting.
suricata..*
traefik*
Hence to remove unwanted fields including above and some fields generated by IIS module I configured processers in the filebeat.yml but it is not dropping those fields but throwing errors.
following is the processors section of the filebeat.yml file.
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
- drop_fields:
fields: ["agent", "destination.address", "ecs", "event", "fileset.name", "host.id", "host.hostname", "host.os.platform", "host.os.type", "input.type", "log.offset", "related.ip", "source.address", "suricata", "traefik.access.user_agent.os_name", "user_agent.original", "user_agent.os.name", "user_agent.os.version"]
Below is the debug log generated by filebeat.
2021-06-28T12:08:24.448+0530 DEBUG [processors] processing/processors.go:128 Fail to apply processor global{add_host_metadata=[netinfo.enabled=[true], cache.ttl=[5m0s]], condition=!contains: map[], add_cloud_metadata={}, add_docker_metadata=[match_fields=[] match_pids=[process.pid, process.ppid]], add_kubernetes_metadata, drop_fields={"Fields":["agent","destination.address","ecs","event","fileset.name","host.id","host.hostname","host.os.platform","host.os.type","input.type","log.offset","related.ip","source.address","suricata","traefik.access.user_agent.os_name","user_agent.original","user_agent.os.name","user_agent.os.version"],"IgnoreMissing":false}}:
failed to drop field [destination.address]: key not found; failed to drop field [related.ip]: key not found; failed to drop field [source.address]: key not found; failed to drop field [suricata]: key not found; failed to drop field [traefik.access.user_agent.os_name]: key not found; failed to drop field [user_agent.original]: key not found; failed to drop field [user_agent.os.name]: key not found; failed to drop field [user_agent.os.version]: key not found
Here I have two concerns,
- Why suricata.* traefik.* fields are there though I haven't enabled them?
- Why drop_field processor is not applying correctly. Is there a specific order when processing the event.
ex: global processors first IIS module then.
Thanks
Someunguy1026