From Filebeat to Logstash (and next to Elasticsearch) - pipeline processing

Rysiu · December 29, 2022, 6:34pm

Hi,

I'm having trouble getting data to transfer correctly from Filebeat to Logstash (then to Elasticsearch).

When I configure in filebeat.yml output directly to Elasticsearch everything is ok.

However, when I configure in filebeat.yml output to Logstash with the following pipeline:

input {
  beats {
    port => 5044
  }
}

filter {
    if [event][module] == "apache" {
      grok {
          match => { "message" => "%{COMBINEDAPACHELOG}"}
      }
    }
}

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => ["https://PK-ELK1:9200", "https://PK-ELK2:9200", "https://PK-ELK3:9200"]
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
      pipeline => "%{[@metadata][pipeline]}"
      cacert => "/etc/logstash/certs/ca.crt"
      user => "elastic"
      password => "ukEXHJ3xMfx+rqxl08cn"

    }
  } else {
    elasticsearch {
      hosts => ["https://PK-ELK1:9200", "https://PK-ELK2:9200", "https://PK-ELK3:9200"]
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}"
      action => "create"
      cacert => "/etc/logstash/certs/ca.crt"
      user => "elastic"
      password => "xxxxx"
    }
  }
}

... I have problems ...

Not all fields that were created with the Filebeat -> Elasticsearch direct connection are created with the Filebeat -> Logstash -> Elasticsearch connection.

During the analysis, for example, when I use Logstash to Elastic fields are not added:

user.name
user_agent.version
user_agent.os.version
user_agent.os.name
user_agent.os.full
user_agent.name
user_agent.device.name
url.path
traefik.access.user_agent.os_name
traefik.access.user_agent.name
source.ip
event.outcome
event.kind
event.created
event.category

What could be the problem here?

leandrojmp · December 29, 2022, 6:40pm

Are you using the Apache module in Filebeat?

If you are using modules, the parse is done in Elasticsearch and you should not parse your message with this filter:

    if [event][module] == "apache" {
      grok {
          match => { "message" => "%{COMBINEDAPACHELOG}"}
      }
    }

This could change the message that will arrive at elasticsearch and the ingest pipeline may not work as expected.

Rios · December 30, 2022, 2:35pm

You can see here which fields will get from COMBINEDAPACHELOG.
Additionally, user_agent should be parsed with the filter plugin useragent

system · January 27, 2023, 4:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat --> Logstash works but directly to Elasticsearch = nothing Beats filebeat	5	542	April 10, 2018
Filebeat's module using Logstash Beats filebeat	6	3703	November 30, 2017
Trying to use pipelines with filebeat output.elasticsearch Beats filebeat	3	1031	December 15, 2018
Why I can't get all log from filebeat to elasticsearch? Beats	4	621	April 11, 2018
Filebeat to Logstash to ES Logstash	16	1110	October 6, 2020

From Filebeat to Logstash (and next to Elasticsearch) - pipeline processing

Related topics