Hi. We're writing application logs to the files using Elastic.CommonSchema.Serilog package and then ship them with Filebeat to Elastic. Here is how agent field looks like in log files:
"agent": {
"type": "Elastic.CommonSchema.Serilog",
"version": "8.6.1+88f2bc81a0b7440e4059e323e610bb03df61862c"
}
Once log entry is shipped to Elastic, it looks like this:
"agent": {
"hostname": "[redacted]",
"name": "filebeat_C3D",
"id": "e0c409b0-053f-4911-acf1-486a1734c38c",
"type": "Elastic.CommonSchema.Serilog",
"ephemeral_id": "f02c1ec2-ff3c-4e7f-abd2-7c98a5601a58",
"version": "8.6.1+88f2bc81a0b7440e4059e323e610bb03df61862c"
}
So Filebeat does add new subfields including agent.name, but does not overwrite agent.type and agent.version.
For the log entries written with a different library, where there are no agent field in the log files, Filebeat also writes agent.type and agent.version:
"agent": {
"hostname": "[redacted]",
"name": "filebeat_C3D",
"id": "ed2bcdea-049b-4db6-99e1-b193bf51fbe6",
"type": "filebeat",
"ephemeral_id": "a6fd622d-167a-4242-9ed1-5274b4662714",
"version": "7.17.6"
}
Is it intended behavior? If so, then it leads to inconsistent data.