ECS for syslog: why Filebeat does not follow ECS naming convention

jetnet · April 30, 2021, 7:19am

we're indexing syslogs data via Logstash (without Filebeat).
Since it's not that clear, how Logstash manages ECS schema, I checked the Filebeat mapping and realized, that it uses different naming for Syslog: system.syslog.*
ECS syslog fields starts from: log.syslog.*

Questions:

what is the correct mapping (ECS or Filebeat docu)?
can Logstash remap the standard syslog fields to ECS ones
(e.g. timereported -> @timestamp, syslogseverity-text -> log.syslog.severity.name) or do we need to "re-invent the wheel"?

Thanks a lot!

system · May 28, 2021, 7:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Modelling to Elastic Common Schema (ECS): Best practices in logstash Logstash	1	322	August 22, 2020
Logstash, syslog, ECS and Kibana Logs / SIEM Logstash	5	917	June 30, 2021
Logstash to ECS Logstash ecs-elastic-common-schema	5	3010	September 10, 2019
Filebeat events doesnt come with ECS compatibility while coming through Logstash Beats filebeat	12	1502	April 15, 2021
Implementing ECS with custom fields Logstash ecs-elastic-common-schema	4	998	December 4, 2019

ECS for syslog: why Filebeat does not follow ECS naming convention

Related topics