My exec input plugin does not compatible with ecs

MKH · September 5, 2022, 10:08pm

Hi,

I am trying to learn ow to use ecs schema within logstash. I use logstash 7.10.0 and input plugin I want to use in my logstash config file is "exec input". I am trying to just follow the documentation guideline https://www.elastic.co/guide/en/logstash/7.17/plugins-inputs-exec.html#plugins-inputs-exec-ecs_compatibility for this plugin to learn how to use ecs with it.

I have a config file called exec.conf with the following content:

input {
    exec {
        command => "echo 'hi--!!!'"
        interval => 10
        ecs_compatibility => v8 
    }
}
output {
    stdout{}
}

Regardless of whether I put the line "ecs_compatibility => v8" in my config file or don't, the output I see is:

{
      "@version" => "1",
    "@timestamp" => 2022-09-05T21:48:16.291Z,
       "message" => "hi--!!!\n",
          "host" => "seroiuts02525",
       "command" => "echo 'hi--!!!'"
}

While according to the documentation I should see different outputs when I have ecs_compatibility enabled and disabled (I think at least I should see the host name like this:

"host" => {
        "name" => "seroiuts02525"
    },

when the ecs_Compatibility => v8 exists in my config file but that is not the case!

I have also tried to enable the ecs_compatibility in my config/pipeline.yaml file and here is the content of this yaml file regarding this pipeline:

- pipeline.id: exec-pipeline
   path.config: /repo/emarykh/logstash/logstash-7.10.0/logstash config/config/pipelines/exec.conf
   pipeline.ecs_compatibility: v8

This also does not work and my output remains the same.
Could someone please help me understand what part I am missing in my configuration?

Thanks,
Maryam

stephenb · September 5, 2022, 10:58pm

Hi @MKH

I think your issue is that you're using logstash 7.10.0 but looking at the documentation for 7.17.0.

If you look at the documentation for 7.10.0 the ecs_compatability does not exist

I would recommend upgrading your logstash to a more current version 7.10 is very old.

And technically the docs specify [host][hostname] which is what I get with logstasg 7.17 and 8.4

./bin/logstash  -e 'input { stdin { ecs_compatibility => "v8"} } output { stdout {} }' 
....
The stdin plugin is now waiting for input:
[2022-09-05T16:43:01,194][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
test
{
       "message" => "test",
         "event" => {
        "original" => "test\n"
    },
      "@version" => "1",
          "host" => {
        "hostname" => "hyperion.lan"
    },
    "@timestamp" => 2022-09-05T23:43:03.735Z
}
```

MKH · September 6, 2022, 4:03pm

Thank you @stephenb to mention the problem!

system · October 4, 2022, 4:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.