Logstash adds field to output although not specified

massimo · May 24, 2017, 8:59am

Hello,

in a test environment we collect, parse/grok firewall log messages and put them into elasticsearch - using logstash. The logs are received using tcp input. In the processed logs I noticed another field which was not parsed/groked - called port. Somehow I realised that this port has nothing to do with the firewall logs as such but it is the port which is used on the firewall for connecting to logstash in order to forward the logs. At the end it is written to the index.

version: 5.4

Might I be missing anything here?

Regards,
massimo

theuntergeek · May 24, 2017, 4:29pm

Nope. Not missing anything. This is done by many Logstash inputs. Feel free to use mutate { remove_field => for any fields you don't want (excepting @timestamp).

massimo · May 29, 2017, 9:18am

Good, then I've ignored this completely until now. Thank you.

system · June 26, 2017, 9:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.