Hi,
I'm facing weird behaviour of Filebeat for which I couldn't find any explanation in the docs. So we write application logs into files in ECS format using Elastic.CommonSchema.Serilog package. All log entries have populated "service.type" field and no "event.module" field. Once logs are loaded by Filebeat into Elastics (we use Filebeat modules), both "event.module" and "service.type" fields are ovewritten with module name. I've double-checked Filebeat configuration, module and ingestion pipeline configuration and we do not populate these fields there.
As soon as I specify "service.type" in module configuration explicitly, I see this value in Elastic ("event.module" is still equal to module name).
Is it a known behavior?
How to make sure that original "service.type" value from log files is preserved? As a workaround, I left "service.type" explicitly specified in the module configuration, but I'd like to keep module configuration as small as possible and populate as much as possible in the application.