If I'm not wrong, this is a breaking change in 8.X related to ecs fields.
From 8.0 the pipeline.ecs_compatibility setting is on by default, so Logstash will output ecs fields and in this case the event.original field is created, in version 7.X the pipeline.ecs_compatibility setting was disabled by default.
For example, if you test the following pipeline in Logstash:
input {
stdin {}
}
output {
stdout {}
}
And you set pipeline.ecs_compatibility: v8 in logstash.yml
and you run:
echo "sample message" | /opt/logstash/bin/logstash --path.settings /opt/logstash/config -f /opt/logstash/pipelines/config.conf
You will get this output:
{
"event" => {
"original" => "sample message"
},
"message" => "sample message",
"host" => {
"hostname" => "server"
},
"@version" => "1",
"@timestamp" => 2022-11-10T21:46:56.615Z
}
If you set pipeline.ecs_compatibility as disabled you get this output:
{
"@version" => "1",
"message" => "sample message",
"host" => "server",
"@timestamp" => 2022-11-10T21:50:08.861Z
}
So if someone is using Logstash with Filebeat or Elastic Agent modules and Elasticsearch Ingest pipelines, they may have some issues because some of those pipelines will try to copy message into event.original, which may already exist.
I think that this proposed change to use @metadata.original instead of event.original would be better.