Filebeat not sending fileset meta data to logstash

Hey guys,

New to ELK and trying to get this working. I have successfully installed 6.8.3, and it worked i was getting the correct fields from filebeat including the fileset.module information. but i ended up upgrading to 7.3.2 and now im unable to get this data from filebeat, its just hitting logstash and going to elasticsearch as syslog data (completely bypassing the stock filter since its not showing the fileset.module field)

I've been beating my head on this and have completely wiped out all the instances of filebeat, recreated, tried removing and re creating templates, etc. nothing seems to be changing out this data is being sent. I have another filter that is working file (for a fortinet firewall) it seems that all of my issues are specifically because filebeat isnt sending the correct metadata. is there somewhere to enable or disable this??

Thanks!

hi @562uned, the fileset object has been removed starting v7.0 it seems, you can have a further look here https://github.com/elastic/beats/pull/8879 and https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-7.0.0.html). Can you try to find the event.module and event.dataset properties instead?

That was what i was thinking... but then i found the official documentation still uses this in the 7.3 logstash pipeline guide..
https://www.elastic.co/guide/en/logstash/current/logstash-config-for-filebeat-modules.html
Guess that got missed on the update..

Thanks for the help! at least i know im not going crazy now!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.