Filebeat overwrites log file source field


(Indrek ) #1

I have a log file with data
"event": "response",
"timestamp": 1460542601136,
"id": "1460542601136:tw-api-test:11613:imx8v2w8:10545",
"instance": "http://127.0.0.1:3000",
"labels": ["api"],
"method": "post",
"path": "/calculator/calculate",
"query": {},
"responseTime": 108,
"statusCode": 200,
"pid": 11613,
"httpVersion": "1.0",
"source": {
"remoteAddress": "127.0.0.1",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36",
"referer": "http://devel/"
}
But elastic gets
"event":"response",
"timestamp":1460538299188,
"id":"1460538299188:tw-api-test:11613:imx8v2w8:10362",
"instance":"http://127.0.0.1:3000",
"labels":["api"],
"method":"post",
"path":"/calculator/calculate",
"query":{},
"responseTime":65,
"statusCode":200,
"pid":11613,
"httpVersion":"1.0",
"source":"/opt/api/logs/api.tavexwise.com/general/request-20160413-0000-db9723d1f2.log",

Filebeat exports field source what overwrites my source. Is it possible to rename one of them? Ex filebeat export_field source field to log_file etc?

Thanks,
Indrek


(Steffen Siering) #2

you send via logstash? In logstash you use json codec or json filter?


(Indrek ) #3

Yes, logstash.
My current conf is

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/ssl/logstash/certs/logstash-forwarder.crt"
ssl_key => "/etc/ssl/logstash/private/logstash-forwarder.key"
codec => json
}
}

#filter {

mutate {

rename => {

"source" => "logfile"

}

}

#}

output {
elasticsearch {
hosts => ["localhost:9200"]
#index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
index => "%{[@metadata][beat]}"
document_type => "%{[@metadata][type]}"
}
stdout {
codec => json
}
}


(Steffen Siering) #4

you might want to use the json filter instead of codec. Have mutate filter renaming source to logfile before applying the json filter.


(system) #5