I see a discrepancy in Filebeat output between Linux and Windows.
ELK setup:
ELK server - Ubuntu 18.04.1 LTS
- Elasticsearch version 6.3.2
- Logstash version 6.3.2
- Kibana version 6.3.2
ELK node 1 - Ubuntu 18.04.1 LTS, Filebeat version 6.3.2 (installed from https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.2-amd64.deb)
ELK node 2 - Windows Server 2012R2, Filebeat version 6.3.2 (installed from https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.2-windows-x86_64.zip)
For the sake of the tests I am starting Logstash manually with:
logstash -f 10-log-filter.conf
The content of 10-log-filter.conf file is:
input {
beats {
port => 5043
ssl => false
}
}filter {
if [type] == "log" {
grok {
match => { "message" => "%{LOGTIMESTAMP:logtimestamp} %{GREEDYDATA:everythingelse}" }
}
mutate {
add_field => { "newtimestamp" => "%{logtimestamp}" }
remove_field => ["logtimestamp"]
}
date {
match => [ "newtimestamp", "yyyy-MM-dd HH:mm:ss.SSS" ]
target => "@timestamp"
}
}
}output { stdout { codec => rubydebug } }
where LOGTIMESTAMP is a custom pattern.
Then harvesting a single file with Filebeat with the following content:
2018-10-17 08:17:18.079 Information Connecting to message broker.
The following is received in Logstash stdout when the test file is harvested by Filebeat under Linux:
{
"@timestamp" => 2018-10-17T08:17:18.079Z,
"source" => "/opt/test/AuthenticationService.log",
"message" => "2018-10-17 08:17:18.079 Information Connecting to message broker.",
"host" => "elk-node01",
"newtimestamp" => "2018-10-17 08:17:18.079",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"fields" => nil,
"@version" => "1",
"offset" => 0,
"type" => "log",
"beat" => {
"hostname" => "elk-node01",
"name" => "elk-node01"
},
"input_type" => "log",
"everythingelse" => "Information Connecting to message broker.",
"count" => 1
}
The following is received in Logstash stdout when the test file is harvested by Filebeat under Windows:
{
"@timestamp" => 2018-11-26T10:28:12.795Z,
"source" => "C:\Microservices\test\AuthenticationService.log",
"message" => "2018-10-17 08:17:18.079 Information Connecting to message broker.",
"host" => {
"name" => "elk-node02"
},
"beat" => {
"hostname" => "elk-node02",
"name" => "elk-node02",
"version" => "6.3.2"
},
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"prospector" => {
"type" => "log"
},
"input" => {
"type" => "log"
},
"@version" => "1",
"offset" => 0
}
There are differences in how the file is being parsed by Logstash.
Therefore I also output the log as a file rather than sending it to Logstash.
The following is the record in output file when the test file is harvested by Filebeat under Linux:
{"@timestamp":"2018-11-26T10:26:42.911Z","beat":{"hostname":"elk-node01","name":"elk-node01"},"count":1,"fields":null,"input_type":"log","message":"2018-10-17 08:17:18.079 Information Connecting to message broker.","offset":0,"source":"/opt/test/AuthenticationService.log","type":"log"}
The following is the record in output file when the test file is harvested by Filebeat under Windows:
{"@timestamp":"2018-11-26T10:31:50.147Z","@metadata":{"beat":"filebeat","type":"doc","version":"6.3.2"},"message":"2018-10-17 08:17:18.079 Information Connecting to message broker.","input":{"type":"log"},"prospector":{"type":"log"},"beat":{"name":"elk-node02","hostname":"elk-node02","version":"6.3.2"},"host":{"name":"elk-node02"},"source":"C:\Microservices\test\AuthenticationService.log","offset":0}
Obviously there is a difference in the output files between Filebeat used under Linux and Windows.
Why is this happening and how to get it fixed (if it should be fixed at all). I also tried with Filebeat version 6.5.1 under Windows but the result is still different.
Filebeat under Linux is working as I would like but not Filebeat under Windows. So what is wrong with Filebeat under Windows ?