Filebeat doesn't send the message field to logstash

Hello,

I have deployed Filebeat 6.8.1 in docker container, filebeat sends all the corrected data but the MESSAGE field is missing.

The input configuration is:

• type: log
  paths:
  • '/var/lib/docker/containers//.log'
    json.message_key: log
    json.keys_under_root: true
    enabled: true
    encoding: utf-8
    fields:
    type: docker_filebeat_log
    environment: production
    processors:
  • add_docker_metadata: ~

I tried also with input docker, in this case I have the message field but I no longer have the TIME field.

The input configuration is:

• type: docker
  containers.ids: '*'
  encoding: utf-8
  enabled: true
  exclude_files: ['.gz$']
  fields:
  type: docker_filebeat_log
  environment: production
  processors:
  • add_docker_metadata: ~

Can you help me solve one of the two cases?

Thanks

Daniele

Hi @daniele.saccon and welcome

If you are using filebeat to collect docker logs, it'd be better if you try with the second option, using the docker input. The time field of docker logs is stored as the @timestamp.

Hi @jsoriano, thanks

The @timestamp is overwritten? Is its original value lost?

Thanks

Daniele

The time in the logs is used as the @timestamp.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.