ECS for syslog: why Filebeat does not follow ECS naming convention

jetnet · April 30, 2021, 7:19am

we're indexing syslogs data via Logstash (without Filebeat).
Since it's not that clear, how Logstash manages ECS schema, I checked the Filebeat mapping and realized, that it uses different naming for Syslog: system.syslog.*
ECS syslog fields starts from: log.syslog.*

Questions:

what is the correct mapping (ECS or Filebeat docu)?
can Logstash remap the standard syslog fields to ECS ones
(e.g. timereported -> @timestamp, syslogseverity-text -> log.syslog.severity.name) or do we need to "re-invent the wheel"?

Thanks a lot!

system · May 28, 2021, 7:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Modelling to Elastic Common Schema (ECS): Best practices in logstash Logstash	1	299	August 22, 2020
Filebeat, Cisco ASA and ECS fields Beats filebeat	6	1494	August 13, 2020
Filebeat events doesnt come with ECS compatibility while coming through Logstash Beats filebeat	12	1359	April 15, 2021
Filebeat/Elastic/ECS source field conflict Logstash	7	1261	January 31, 2020
Es index name issue coming from Logstash Logstash	1	354	October 7, 2018

ECS for syslog: why Filebeat does not follow ECS naming convention

Related topics