Logstash CEF Field Mapping Inconsistency Between 7.16.2 and 8.16.3

Kfiro · February 7, 2025, 9:21am

I am running Logstash containers to process CEF messages, and I have observed an inconsistency in field mappings between Logstash 7.16.2 and 8.16.3.

When using Logstash 7.16.2, fields are mapped as expected, but in 8.16.3, certain fields have changed their structure and naming conventions.

For example, in 7.16.2, deviceCustomString1 is parsed correctly, whereas in 8.16.3, it is mapped as device_custom_string_1.value under a nested structure.

I attempted to resolve this by explicitly setting Plugin codec-cef version to match the one used in 7.16.2, but the issue persists.

Observed Differences:

7.16.2

{
"deviceCustomString1": "0x1000"
}

8.16.3
{
"device_custom_string_1": {
"value": "xxx-DB",
"label": "Query Name"
},
}

i just put here deviceCustomString1 but its appear in many fields

Logstash Version (Working): 7.16.2
Logstash Version (Issue Observed): 8.16.3

leandrojmp · February 7, 2025, 1:37pm

This expected, is a breaking change on version 8 related to ecs_compatibility.

The name of the fields using ecs are described here.

To have the same behavior as on version 7 you need to add pipeline.ecs_compatibility: disabled into the pipeline configuration on pipelines.yml, or globally on logstash.yml.

Badger · February 7, 2025, 1:41pm

You can also change the ECS compatability on the just the codec.

Kfiro · February 8, 2025, 7:57am

thank you
it works

Topic		Replies	Views
Logstash with 'ecs-compatibility' unable to accept particular CEF Extension field Logstash	3	454	June 17, 2022
Logstash CEF codec Logstash	4	1641	July 6, 2017
Logstash CEF codec and ECS cannot parse 'rt' field throws an error Logstash	3	1376	August 25, 2022
Syslog cef + logstash + security device logs parsing issues Logstash docker	1	1318	March 12, 2021
Reverse_mapping for cef input codec not working Logstash	4	1591	April 3, 2019

Logstash CEF Field Mapping Inconsistency Between 7.16.2 and 8.16.3

Related topics