Fleet Integration Adding Cloud Fields to an Index from Elastic Agent's filebeat.yml

I'm having an issue where some rogue configuration is adding cloud fields to the documents of one my indices. In particular, it looks like there is some add_cloud_metadata: ~ processor running somewhere.

After much troubleshooting, I've confirmed that no index template or component template contains the add_cloud_metadata: ~ processor.

However, I've discovered on the elastic agent itself, it seems the file /opt/Elastic/Agent/data/elastic-agent-<ID>/data/install/filebeat-<VER>/filebeat.yml is applying add_cloud_metadata: ~ config. Apart from commenting the line out directly, is there another way of managing this config, ideally from the Fleet Server itself (GUI or API)?

So it looks like this issue has been discussed before and there isn't a way via GUI or API as far as this post goes: [Elastic Agent] Overwrite global processor settings · Issue #129 · elastic/elastic-agent · GitHub

In short, filebeat and other beats have global processors running by default that are not managed by a Fleet Server. Just need to manually comment or remove them if they are causing noise.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.