I am sending all the event logs to Logstash using Winlogbeat. Here is part of Winlogbeat.yml,
winlogbeat.event_logs:
- name: Application
level: error, warning, info
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
Issue is that - I can see error message in Windows event viewer but there is no "message" field at all for some events when checked in Kibana. I am not able to find what the issue is. Here is Logstash config file,
What version of Winlogbeat are you running? And what OS version?
If you can turn on debug logging this will give you some more detail about the events on the Winlogbeat side. The log will then contain the raw XML received from Windows so we can see if it has any rendering errors in it (these are what will be added to message_error).
It looks like there is no message contained in the event from Windows. Nor is there a rendering error. There might be an issue with the application that is logging the message (in particular the message text file).
As a workaround you could use Logstash to copy the event_data.Data value to message when you see this event ID value in the Application log and it does not have a message.
I used to drop event_data field using mutate filter in Logstash
mutate{
remove_field => ["event_data"]
}
Now, I am not dropping this field, so in some documents I see just one filed as event_data.param1(which contains the message) but in some cases I see lot of fields event_data.param1 to event_data.param30. In this case event_data.param1 would contain an integer(not the message).
Please say if I am missing anything here. My goal is to combine all these fields into a single field "message" instead of having 30 different fields.
Assuming the application creates just this one event with the problem, then I'd put a condition around the logic so that it does not affect other events.
filters {
if ![message] and [event_data][param1] and [log_name] == "Application" and [source_name] == "test" and [event_id] == 0 {
mutate {
rename => {
"[event_data][param1]" => "message"
}
}
}
}
This may need some tweaking since I am not working off the real data.
Or if this is affecting all events being logged by this one application then you could do a hack like this to convert the parameters logged by the application to a json string and put that into message. I must say that is the opposite of what most users do; mostly they want to have each piece of data is its own field in order to do various types of analysis or aggregations.
filter {
if ![message] and [event_data][param1] and [log_name] == "Application" and [source_name] == "test" {
json_encode {
source => "event_data"
target => "message"
}
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.