Ingesting ECS ndjson via http_endpoint?

Matthias_W · December 6, 2021, 9:13am

Hi,

I have a C++ application with a custom logging framework.

I was able to modify the framework quite easily to produce ECS-formatted JSON messages. Now, I am trying to use FileBeat to load these log messages into Elastic.

The C++ application is already using WinHTTP to call various REST services, so I thought to just use WinHTTP, too, to send the events to FileBeat.

So far, my FileBeat configuration looks like this:

- type: http_endpoint
  enabled: true
  listen_address: "0.0.0.0"
  listen_port: 5046
  content_type: ""
  prefix: "json"
  preserve_original_event: true
  processors:
    - decode_json_fields:
        fields: ["event.original"]
        overwrite_keys: true
        expand_keys: true
        add_error_key: true
        target: ""
    - drop_fields:
        fields: ["event.original", "json" ]
        ignore_missing: true

However, I feel that there might be a better way.
If I just change prefix to "", I receive an error message in the Filebeat log that key names cannot be empty.

Any ideas on how this can be improved?

system · January 3, 2022, 11:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to configure Filebeat to consume logs in JSON format that are already in ECS format Beats filebeat	1	420	June 23, 2020
Can't put http_endpoint messages to root Beats filebeat	6	625	January 5, 2022
How to stop Filebeat from shipping incorrect JSON to Elastic? Beats ecs-elastic-common-schema , filebeat	1	17	October 21, 2024
Filebeat, ECS and fieds.* namespace Beats ecs-elastic-common-schema , filebeat	3	485	December 31, 2020
Issue with JSON logs and field 'log.level' Beats filebeat	3	416	July 30, 2019

Ingesting ECS ndjson via http_endpoint?

Related Topics