Hello. I have a weird problem with Logstash filtering.
I am sending logs from several different winlogbeat agents to logstash for processing.
I have winlogbeats agents with different versions- 7.9.1 and 7.13.2.
Logstash is on version 7.13.2.
The problem is that Logstash does not match (and therefore does not add tag) the "if condition" for logs from agent 7.13.2 but matches (and tags) logs from 7.9.1. Why?
Both winlogbeat 7.13.2 and 7.9.1 events are indexed in elasticsearch- just that 7.9.1 has been tagged and 7.13.2 has not been tagged. Mutations without the "if condition" are working on both versions.
Both winlogbeat agents are sending logs to logstash with event.code present. And logstash sends the event.code as strings to elasticsearch and elasticsearch indexes event.code from both versions as strings. Kibana search also finds indexed documents with event.code == 9999 from both winlogbeat versions. But one document has tag added, other does not.
The (redacted) filter I am using:
filter {
if [event][code] == 9999 {
mutate {add_tag => [ "tagged" ] }
}
}
Any ideas/suggestions? Thank you!
-update-
I just figured out that logs from winlogbeat 7.9.1 are matched: if [event][code] == 9999
and logs from winlogbeat 7.13.2 are matched: if [event][code] == "9999"
-update2-
Problem solved.
Release notes for Winlogbeat 7.13.0 Beats version 7.13.0 | Beats Platform Reference [8.11] | Elastic :
- Change
event.codeandwinlog.event_idfrom int to keyword. 25176