Log_file_path

christos_zivlas · March 18, 2021, 10:27pm

Hi i am using filebeat on windows to get some application logs. Messages are harvest using a wildcard path. messages coming in do not contain the path of the log, is there a way to place such a field in the log message?

jsoriano · March 31, 2021, 5:12pm

Hi @christos_zivlas, welcome to discuss

If you are using the log input, log path should be in the event, in the log.file.path field.

christos_zivlas · April 4, 2021, 8:04pm

Hi, this is what happens on linux filebeat, the path shows as you describe but for windows filebeat this is not the case? Is there way to configure filebeat for windows to retrieve that info?

jsoriano · April 6, 2021, 11:10am

What inputs are you using in Windows? If you are using the log input, it should also fill this field.

christos_zivlas · April 6, 2021, 5:25pm

Hi jsoriano, i am using windows filebeat version 7.11 and graylog 3.1.4 and log input. I was expecting to see log.file.path field as i do when i get logs from linux machines with file beat. i am using a log input as the configuration below

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
fields.source: ${sidecar.nodeName}


output.logstash:
   hosts: ["172.17.1.213:5044"]
path:
  data: C:\Program Files\Graylog\sidecar\cache\filebeat\data
  logs: C:\Program Files\Graylog\sidecar\logs

filebeat.inputs:

- input_type: log
  enabled: true
  #ignore_older: 48h
  #close_eof: true
  tail_files: true
  tags: 
    - gxsas2
  paths:
  
  - D:\as2\icomas2logs\gxs\*\*\*

i am not really sure what i am doing wrong

christos_zivlas · April 6, 2021, 5:44pm

jsoriano · April 7, 2021, 4:22pm

Do you have access to the original event as sent by filebeat? From this screenshot I see that some field names are modified (for example beat_name instead of beat.name).

christos_zivlas · April 7, 2021, 6:56pm

Hi jsoriano, no fields were modified...this is the original configuration as created by graylog in sidecar section. Not sure if and how to access the original event. Not sure how filebeat for windows differs from filebeat for linux. I have 2 windows filebeat. Filebeat is running is running on top of sidecar if it makes any difference. Is there a chance this is not supported on filebeat for windows?

christos_zivlas · April 8, 2021, 7:06pm

Hi I think manage to find a solution first of all fixing the _ . Then realised that i can assign log.file.path to a field. Now my question is, how can i add a custom field with in filebeat configuration? Do i need a processor?

legoguy1000 · April 12, 2021, 12:29am

U can use the set processor to add a new field.

system · May 10, 2021, 2:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.