Filebeat, s3access & ECS


Looking to start migrating to ECS, for all the benefits listed on the blog

Got nginx running through the filebeat modules, happy days (although the blog post suggests I should have event.original and message fields, which I don't appear to have...)

I want to convert some s3 access logs, that are currently getting pulled in by logstash. I figured I could be lazy and steal the filebeat pipeline

However as I understand things, that doesn't seem to be using ECS yet?
(EG it uses aws.s3access.remote_ip rather than source.ip)

Am I right in this belief, and I need to go off an manually map all the fields to ECS?
Or am I looking at the wrong pipeline for filebeat?


Hi @cosmo, yeah you are right, aws.s3access.remote_ip is not using ECS right now. The fields in s3access fileset that's using ECS are: tls.cipher, tls.version and tls.version_protocol. Maybe for vpcflow fileset will be a better ECS example for you. I will create a github issue to track converting fields in s3access to ECS as well. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.