Filebeat ingest

Anwar · February 25, 2022, 5:02am

Hi Team,

I want to use the below ingest directly in the Filebeat.yml file.

elastic/beats/blob/6b116c5b837e1760b787fbe4d02ca9a6088d1beb/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml

---
description: Pipeline for AWS CloudTrail Logs
processors:
  - rename:
      field: "message"
      target_field: "event.original"
  - json:
      field: "event.original"
      target_field: "json"
  - date:
      field: "json.eventTime"
      target_field: "@timestamp"
      ignore_failure: true
      formats:
        - ISO8601
  - rename:
      field: "json.eventVersion"
      target_field: "aws.cloudtrail.event_version"
      ignore_failure: true
  - rename:

This file has been truncated. show original

I have made changes for few processor. need to know -> how to use grok, Geoip, user-agent and scripts.
Please help me on the same.

Because, am using Filebeat.yml with Cloudtrail module for pushing the Cloudtrail log event to the elk using docker.
The logs in elk is not parsed as expected.
Note: I want to push it to Elasticsearch via Logstash only.

system · March 25, 2022, 7:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.