Logstash adds field to output although not specified


in a test environment we collect, parse/grok firewall log messages and put them into elasticsearch - using logstash. The logs are received using tcp input. In the processed logs I noticed another field which was not parsed/groked - called port. Somehow I realised that this port has nothing to do with the firewall logs as such but it is the port which is used on the firewall for connecting to logstash in order to forward the logs. At the end it is written to the index.

version: 5.4

Might I be missing anything here?


Nope. Not missing anything. This is done by many Logstash inputs. Feel free to use mutate { remove_field => for any fields you don't want (excepting @timestamp).

Good, then I've ignored this completely until now. Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.