Could be a stupid question, can we manipulate the input type in the filebeat.yml to be whatever string we want?
I want to uniquely identify logs that come from this server (without having to create a separate index for them or using a normaliser to add a field)
For example - LinuxLogTest as shown below:
filebeat.inputs:
- type: LinuxLogTest
paths:
- /var/log/messages
- /var/log/secureExample Log:
{
"beat": {
"ip": "10.0.0.0",
"version": "6.4.0",
"hostname": "ip-10.0.0.0",
"name": "Test"
},
"@version": "1",
"message": "Aug 30 09:02:48 ip-10.0.0.0 dhclient[691]: bound to 172.0.0.0 -- renewal in 1414 seconds.",
"@timestamp": "2018-08-30T09:02:49.881Z",
"host": {
"name": "Test"
},
"source": "\/var\/log\/messages",
"offset": 50334,
"tags": [
"beats_input_codec_plain_applied"
],
"input": {
"type": "log"
},
"prospector": {
"type": "log"
}
}
I'd like to change the input type, or prospector type, or any field inside that log message to be uniquely identifiable to that machine using that filebeat configuration.
p.s. Using the host as a unique identifier would not work with my use case.
Just found the ability to add a tags field, will test now.
filebeat.inputs:
- type: log
. . .
tags: ["json"]Ok that works. Dont know how to close it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.