Filebeat 8.15.0 output to logstash instead of ES, how to set logstash? I tried, but couldn't parse it like a connection to es.
Added filebeat
The pipeline run failed.
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"skipped": 0,
"failed": 0
},
"hits": {
"total": {
"value": 6257,
"relation": "eq"
},
"max_score": null,
"hits": [
{
"_index": ".ds-filebeat-8.15.0-2024.08.27-000001",
"_id": "Fw93nZEB6-W6QuqIYb05",
"_score": null,
"_source": {
"agent": {
"name": "elk-node1",
"id": "43fb58ac-a734-49bc-8df0-e268d0d173e4",
"ephemeral_id": "ce52a25b-66be-492f-9bb2-b7ceafb162ef",
"type": "filebeat",
"version": "8.15.0"
},
"log": {
"file": {
"path": "/data/docker/elk/nginx/logs/access.log"
},
"offset": 2060972
},
"message": "10.178.32.127 - - [29/Aug/2024:09:28:38 +0000] \"POST /api/ui_counters/_report HTTP/1.1\" 200 15 \"http://10.199.205.165/app/dev_tools\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36\" \"-\"",
"fileset": {
"name": "access"
},
"error": {
"message": "field [event.original] already exists"
},
"tags": [
"beats_input_codec_plain_applied"
],
"input": {
"type": "log"
},
"@timestamp": "2024-08-29T09:28:38.808Z",
"ecs": {
"version": "1.12.0"
},
"service": {
"type": "nginx"
},
"host": {
"name": "elk-node1"
},
"@version": "1",
"event": {
"ingested": "2024-08-29T09:28:52.281427801Z",
"original": "10.178.32.127 - - [29/Aug/2024:09:28:38 +0000] \"POST /api/ui_counters/_report HTTP/1.1\" 200 15 \"http://10.199.205.165/app/dev_tools\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36\" \"-\"",
"timezone": "+08:00",
"module": "nginx",
"dataset": "nginx.access"
}
},
"sort": [
1724923718808
]
}
]
}
}
remove '[event][original]' can resolve.
filter {
if [@metadata][pipeline] {
ruby {
code => "event.remove('[event][original]')"
}
}
}