Journalbeat container.image output incompatible with ECS

bbailey · June 10, 2020, 9:28am

Using Journalbeat, logstash and elasticsearch version 7.6.0 we are getting bulk indexing errors due to an incompatibility with the ECS schema

Journalbeat appears to be outputting container.image as a concrete value whereas ecs defines it as object with 2 fields - container.image.name and container.image.tag

Is this a known issue ?

jsoriano · June 15, 2020, 3:15pm

Hey @bbailey,

Thanks for reporting this. Could you please share the configuration you are using in journalbeat, and an example event with the container.image field?

bbailey · June 15, 2020, 3:40pm

No problem, I'll see what I can share with you tomorrow.

bbailey · June 26, 2020, 1:31pm

This is opened as an issue in github now

system · July 24, 2020, 3:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Incorrect Journalbeat container output fields for Docker journald messages Beats journalbeat	4	678	November 4, 2022
High level concepts of elastic stack in containerized environment Beats docker , filebeat	3	324	April 28, 2021
[7.0.1] Journalbeat not processing Elasticsearch Log4j ESJsonLayout logs properly? Beats journalbeat	3	906	November 4, 2022
Filebeat with container type input uses image digest instead of tag (or both) when sending the logs Beats filebeat	1	118	April 18, 2024
Elasticsearch 7.4 Netflow questions Logstash or filebeat WTF? Elasticsearch	6	1434	November 1, 2019

Journalbeat container.image output incompatible with ECS

Related topics