Hi guys, adapting our integration (Wazuh) for Elastic 7.0 I've noticed that Filebeat is using a field named "agent" which is in conflict with our field "agent". Our events have agent.id, agent.name along other agent.* fields.
Is there a way to rename the Filebeat fields to filebeat-agent or something else? If so, It may break something related to the Elastic stack? What's the best solution from your view?
I've seen https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-ecs.html#_agent_fields
We need the field agent for us... if possible...
Best regards,
Jesús
Here is my config:
filebeat.inputs:
- type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
json.message_key: log
json.keys_under_root: true
json.overwrite_keys: true
output:
logstash:
# The Logstash hosts
hosts: ["localhost:5000"]
As I can see https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html, our JSON keys should overwrite Filebeat's fields.
What I'm missing?
Regards
Hi guys, after some painful hours, I figured out how to achieve my goal, here is my new config:
filebeat.inputs:
- type: log
paths:
- "/var/ossec/logs/alerts/alerts.json"
processors:
- decode_json_fields:
fields: ["message"]
process_array: true
max_depth: 200
target: ""
overwrite_keys: true
- drop_fields:
fields: ["message", "ecs"]
output:
logstash:
hosts: ["localhost:5000"]
It does exactly what I want, I hope it helps to other users that may be facing the same issue.
Best regards,
Jesús