Logs are coming in event.original but no message field | Elastic Agent

Elastic Stack Elastic Agent
1

I've configured the standalone Elastic Agent on EC2 instances to send logs to Logstash.

And it is working fine.

But all the logs are coming in event.original field and there is no message or log field. Because of this I'm not able filter my logs.

elastic-agent.yml

outputs:
  default:
    type: logstash
    hosts: ["10.10.20.1:5044"]

inputs:
  # Collecting system metrics
  - type: log
    # Each input must have a unique ID.
    id: unique-node-prod
    streams:
      - id: unique-node-log-streams
        data_stream:
          dataset: generic
        paths:
          - /app/logs/*combine.log*
agent.logging.to_stderr: true

logstash-conf.yml

input {
    elastic_agent {
        host => "10.10.20.1"
        port => "5044"
        ssl_enabled => false
        tags => ["prod-ec2"]
    }
filter { ... }
output { 
    if "prod-ec2" in [tags] {
        elasticsearch {
            hosts => ["https://10.10.20.1:9200"]
            user => ["elastic"]
            password => ["Password"]
            ssl_enabled => true
            ssl_verification_mode => none
            manage_template => false
            data_stream => true
        }
    }

Is there any way to get log data in message field instead of event.original using elastic agent and logstash?

Please suggest any change if I need to make in my configurations or any thing I'm missing.

2

Which version are you using? I would assume that you are using version 8.X as this is the default behaviour now.

You could also just replace [message] with [event][original] in your filters and it will work.

But if you want to revert back to the old behaviour you probably need to disable ecs_compatibility.

Just put pipeline.ecs_compatibility: disabled in your logstash.yml file and restart logstash.

1 Like
3

Thank you, Leandro. I disabled the ecs_compatibility, and it is working as expected.