Field named "agent", introduced in 7.0.0 is in conflict with our fields

jesusgn90 · April 22, 2019, 2:06pm

Hi guys, adapting our integration (Wazuh) for Elastic 7.0 I've noticed that Filebeat is using a field named "agent" which is in conflict with our field "agent". Our events have agent.id, agent.name along other agent.* fields.

Is there a way to rename the Filebeat fields to filebeat-agent or something else? If so, It may break something related to the Elastic stack? What's the best solution from your view?

I've seen https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-ecs.html#_agent_fields

We need the field agent for us... if possible...

Best regards,
Jesús

jesusgn90 · April 22, 2019, 2:21pm

Here is my config:

filebeat.inputs:
  - type: log
    paths:
     - "/var/ossec/logs/alerts/alerts.json"
    json.message_key: log
    json.keys_under_root: true
    json.overwrite_keys: true

output:
 logstash:
   # The Logstash hosts
   hosts: ["localhost:5000"]

As I can see https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html, our JSON keys should overwrite Filebeat's fields.

What I'm missing?

Regards

jesusgn90 · April 23, 2019, 10:30am

Hi guys, after some painful hours, I figured out how to achieve my goal, here is my new config:

filebeat.inputs:
  - type: log
    paths:
     - "/var/ossec/logs/alerts/alerts.json"

processors:
  - decode_json_fields:
      fields: ["message"]
      process_array: true
      max_depth: 200
      target: ""
      overwrite_keys: true
  - drop_fields:
      fields: ["message", "ecs"]

output:
 logstash:
   hosts: ["localhost:5000"]

It does exactly what I want, I hope it helps to other users that may be facing the same issue.

Best regards,
Jesús

system · May 21, 2019, 10:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.