Ingesting ECS ndjson via http_endpoint?

Hi,

I have a C++ application with a custom logging framework.

I was able to modify the framework quite easily to produce ECS-formatted JSON messages. Now, I am trying to use FileBeat to load these log messages into Elastic.

The C++ application is already using WinHTTP to call various REST services, so I thought to just use WinHTTP, too, to send the events to FileBeat.

So far, my FileBeat configuration looks like this:

- type: http_endpoint
  enabled: true
  listen_address: "0.0.0.0"
  listen_port: 5046
  content_type: ""
  prefix: "json"
  preserve_original_event: true
  processors:
    - decode_json_fields:
        fields: ["event.original"]
        overwrite_keys: true
        expand_keys: true
        add_error_key: true
        target: ""
    - drop_fields:
        fields: ["event.original", "json" ]
        ignore_missing: true

However, I feel that there might be a better way.
If I just change prefix to "", I receive an error message in the Filebeat log that key names cannot be empty.

Any ideas on how this can be improved?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.