Osquery module logs not prefixed with osquery.result

wojtas · August 28, 2018, 9:58am

Hello,

I am using 6.3.0 elastic stack on RHEL7, sending filebeat osquery logs to logstash (with osquery filebeat module enabled).
As per the documentation https://www.elastic.co/guide/en/beats/filebeat/6.3/filebeat-module-osquery.html the logs should be prefixed with 'osquery.result' however I am not seeing this in elasticsearch. All fields start with 'json.columns.'.

My osquery module config is pretty basic:

- module: osquery
  result:
    input:
      tags: ["osquery_events"]

I tried to set var.use_namespace to true but it didn't help. Right know I am doing the mutate stuff in logstash but it would be nice not to do so.

Any help appreciated ! Thanks

steffens · August 28, 2018, 2:21pm

Filebeat normally does not parse the raw logs. Filebeat modules normally setup the ingest node pipeline in Elasticsearch, so to offload parsing. If you put Logstash before Elasticsearch, then the event will not be parsed yet. Have a look at the Working with Filebeat modules section in the Logstash documentation for more background.

system · September 25, 2018, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat not picking up OSQUERY LOGS SIEM	1	364	October 18, 2020
Filebeat osquery module Beats filebeat	3	757	April 20, 2018
Filebeat indexing on Windows Beats filebeat	4	665	July 18, 2017
Filebeat lotstash output and 'exported fields' Beats filebeat	4	1790	March 16, 2018
Filebeat 7.2's osquery module not respecting var.use_namespace: false Beats filebeat	2	354	August 22, 2019

Osquery module logs not prefixed with osquery.result

Related topics