Filebeat ignore harvest JSON file

Marek_Pastier · January 22, 2019, 6:52am

Hi guys
My configuration for Filebeat ver 6.5 ignore harvesting json log file. My actual configuration /etc/filebeat/filebeat.yml

filebeat.inputs:

type: log
json.keys_under_root: true
json.add_error_key: true
paths:

/var/log/eset.log

example some lines from json files

{"event_type":"Threat_Event","ipv4":"10.195.21.253"}
{"event_type":"Threat_Event","ipv4":"10.195.21.253"}

shrikantgulia · January 22, 2019, 10:31am

Hello @Marek_Pastier,
try to use this

filebeat.prospectors:

input_type: log
paths:
- /home/rdave/Downloads/*.json
  fields:
  service_id: *
  fields_under_root: true
  output.logstash:
  hosts: ['localhost:5044']

Marek_Pastier · January 23, 2019, 7:26am

thank you for proposal. But is not working for me. I change filebeat configuration next.

filebeat.inputs:

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /var/log/eset.log
  json.keys_under_root: true
  json.add_error_key: true

Now is working. Here is seeting from logstash folder.
cd /etc/logstash/conf.d/
ls -l
02-beats-input.conf
10-syslog-filter.conf
15-eset-filter.conf
30-elasticsearch-output.conf

cat 15-eset-filter.conf

input {
beats {
port => "5044"
host => "localhost"
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}

system · February 20, 2019, 7:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.