I have been using beats input type log, but with the 7.14.0 release I noticed that the filestream input type is supposed to be an improvement to the log input type. I noticed that the event meta data differs between the two.
For example, input type log displays the file name and path as:
"log" => {
"offset" => 0,
"file" => {
"path" => "/tmp/mikes3.log"
}
},
whilst input type filestream displays as:
"log" => {
"path" => "/tmp/mikes3.log",
"offset" => 180
}
Basically schema has changed from [log][file][path] to [log][path].
Is this intentional for filestream or perhaps a miss?
To me this does not fit the ECS schema for log.file.path as per ECS fields | Filebeat Reference [7.14] | Elastic
I have written a logstash output plugin that parses this data. This plugin has now broken due to the changes in the event meta data schema for what I would perceive as a replacement for the input type log.