Filebeat modules not user friendly and missing real references to version and format requirements


many of the filebeat modules have a hint that they were converted from RSA NetWitness log parser XML. After some search and trying to understand how to get to the logformat required by the module I must say that all seems a bit like marketing fuzz. Let me explain with the example of f5 bigipapm.

The documentation states nothing about the actually required logformat nor about the supported releases from f5. Trying to find the magic behind "This was converted from RSA NetWitness log parser XML "bigipapm" device revision 113." and looking at ./x-pack/filebeat/module/f5/bigipapm/test/generated.log I is very unclear how to setup the f5 e.g. with release 15.1 to actually meet the demand by the module.

All in all this is not a good user experience from what is surely intended by elastic.

How about adding the minimum needed sane information like:
supported releases: eg. 13.3-15.1
logformat: exact format or at least a link where to find what to configure

I think the way this is implemented does not meet the original ease of use intention or maybe I'm missing on sth. drastically? What's your experience?


As someone who has modified the modules and pipelines, those autogenerated ones are super hard to interpret. Even for the simpler modules, I'm currently working changes to the palo alto module and the format of logs changes between versions and I'm only doing the latest. @jamie.hynds This may be an interesting discussion to have especially as you guys work on the agent integrations.