I finally got it to work, the main problem was the if [source] =~ "file.log" statement was not grabbing the file thus it couldn't find "Z0" in the field "zone" that's why the mutate wasn't working. I solved it by removing that if statement so now the filter will be applied to the log files that filebeat is grabbing which are not of type syslog. I also fixed my syntax thanks to you guys because the syntax that i had wasn't correct.
Here is my final code:
filter {
grok {
match => { "message" => "%{DAY:day} %{MONTH:month} %{MONTHDAY:date} %{TIME:time} %{YEAR:year} \[%{GREEDYDATA:zone}\]\[%{GREEDYDATA:module}\]\[%{GREEDYDATA:severity}\]: %{GREEDYDATA:message_content}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
}
filter {
if [zone] == "Z0" {
mutate {
replace => { "zone" => "Zone0 - BlockA" }
}
}
}