I saw some questions around talking about "moving forward" towards Logstash ECS compliance.
So, I have now a setup with filebeat shipping logs using the nginx and system modules to an Logstash instance. I found this link: https://www.elastic.co/guide/en/logstash/current/logstash-config-for-filebeat-modules.html#parsing-nginx.
As I understood, filebeat module for nginx (for example), will ship many fields (mostly metadata) but leave parsing of the message field to an elastic pipeline or, if using logtash, you could use the filters suggested on that link.
The thing I found confusing is that the fields resulting from that suggested filtering don't align with the ECS at all. Therefore, all Filebeat dashboards are broken, SIEM broken.
I guess I could go and manually fix those groks and other filters but, why is the suggested filtering not following ECS. I would like to know how to stick to ECS (without losing logstash )
Am I missing something?