Hi all.
I upgraded Elastic Stack (Elasticsearch + Kibana + Filebeat) from 6.6 to 7.9.3 version.
Previously I used to filter logs by nginx.access.host field. After upgrade - this field disappeared. And I don't see any new filed linked with hostname accessed with nginx. Is it possible to return it back, or use another similar filed?
Hello! I don't see nginx.access.host field in https://www.elastic.co/guide/en/beats/filebeat/6.6/exported-fields-nginx.html. Do you mean maybe nginx.access.user_name?
I solved this problem by myself.
I'm using custom nginx log format:
log_format main '$remote_addr - $remote_user [$time_local] "$host $request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
And seems somebody before me customized access pipeline in ingest node, so $host was parsed. After upgrading from 6.6 to 7.9.3 pipeline was changed and replaced.
I found needed data in nginx.access.info which was created by GROK and used to be deleted in pipeline.