Osquery module logs not prefixed with osquery.result

wojtas · August 28, 2018, 9:58am

Hello,

I am using 6.3.0 elastic stack on RHEL7, sending filebeat osquery logs to logstash (with osquery filebeat module enabled).
As per the documentation https://www.elastic.co/guide/en/beats/filebeat/6.3/filebeat-module-osquery.html the logs should be prefixed with 'osquery.result' however I am not seeing this in elasticsearch. All fields start with 'json.columns.'.

My osquery module config is pretty basic:

- module: osquery
  result:
    input:
      tags: ["osquery_events"]

I tried to set var.use_namespace to true but it didn't help. Right know I am doing the mutate stuff in logstash but it would be nice not to do so.

Any help appreciated ! Thanks

steffens · August 28, 2018, 2:21pm

Filebeat normally does not parse the raw logs. Filebeat modules normally setup the ingest node pipeline in Elasticsearch, so to offload parsing. If you put Logstash before Elasticsearch, then the event will not be parsed yet. Have a look at the Working with Filebeat modules section in the Logstash documentation for more background.

system · September 25, 2018, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.