we're indexing syslogs data via Logstash (without Filebeat).
Since it's not that clear, how Logstash manages ECS schema, I checked the Filebeat mapping and realized, that it uses different naming for Syslog: system.syslog.*
ECS syslog fields starts from: log.syslog.*
Questions:
- what is the correct mapping (ECS or Filebeat docu)?
- can Logstash remap the standard
syslogfields to ECS ones
(e.g.timereported->@timestamp,syslogseverity-text->log.syslog.severity.name) or do we need to "re-invent the wheel"?
Thanks a lot!