FIlebeat Input Type

Could be a stupid question, can we manipulate the input type in the filebeat.yml to be whatever string we want?

I want to uniquely identify logs that come from this server (without having to create a separate index for them or using a normaliser to add a field)

For example - LinuxLogTest as shown below:

filebeat.inputs:
- type: LinuxLogTest
  paths:
    - /var/log/messages
    - /var/log/secure

Example Log:

{
  "beat": {
    "ip": "10.0.0.0",
    "version": "6.4.0",
    "hostname": "ip-10.0.0.0",
    "name": "Test"
  },
  "@version": "1",
  "message": "Aug 30 09:02:48 ip-10.0.0.0 dhclient[691]: bound to 172.0.0.0 -- renewal in 1414 seconds.",
  "@timestamp": "2018-08-30T09:02:49.881Z",
  "host": {
    "name": "Test"
  },
  "source": "\/var\/log\/messages",
  "offset": 50334,
  "tags": [
    "beats_input_codec_plain_applied"
  ],
  "input": {
    "type": "log"
  },
  "prospector": {
    "type": "log"
  }
}

I'd like to change the input type, or prospector type, or any field inside that log message to be uniquely identifiable to that machine using that filebeat configuration.

p.s. Using the host as a unique identifier would not work with my use case.

Just found the ability to add a tags field, will test now.

filebeat.inputs:
- type: log
  . . .
  tags: ["json"]

Ok that works. Dont know how to close it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.