For those logs I would use message_key: msg
. But you can also omit that config option because it's optional and you are not doing anything that would required it.
I ran a quick test with your logs and this config and it worked as expected.
filebeat.prospectors:
- paths:
- test.json
input_type: log
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["http://localhost:9200"]
I was getting data like:
{
"@timestamp": "2017-03-27T17:11:31.359Z",
"beat": {
"hostname": "x",
"name": "x",
},
"error": "dial tcp 172.21.0.2:5432: getsockopt: connection refused",
"input_type": "log",
"level": "error",
"msg": "Could not open database connection",
"offset": 790,
"source": "/Users/akroh/go/src/github.com/elastic/beats/filebeat/.test/logrus/test.json",
"time": "2017-03-27T16:36:55Z",
"type": "log"
}