Logstash adds field to output although not specified

massimo · May 24, 2017, 8:59am

Hello,

in a test environment we collect, parse/grok firewall log messages and put them into elasticsearch - using logstash. The logs are received using tcp input. In the processed logs I noticed another field which was not parsed/groked - called port. Somehow I realised that this port has nothing to do with the firewall logs as such but it is the port which is used on the firewall for connecting to logstash in order to forward the logs. At the end it is written to the index.

version: 5.4

Might I be missing anything here?

Regards,
massimo

theuntergeek · May 24, 2017, 4:29pm

Nope. Not missing anything. This is done by many Logstash inputs. Feel free to use mutate { remove_field => for any fields you don't want (excepting @timestamp).

massimo · May 29, 2017, 9:18am

Good, then I've ignored this completely until now. Thank you.

system · June 26, 2017, 9:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
TCP input plugin generate additional port field Logstash	3	1106	February 6, 2020
Extract fields from a log Logstash	3	308	May 22, 2019
Delete syslog fields from logstream Logstash	3	913	December 21, 2018
Fields are not added Logstash	4	2789	February 13, 2017
Log4j input host without port Logstash	2	745	July 6, 2017

Logstash adds field to output although not specified

Related topics