Hello,
Is it possible to add the add_host_metadata processor in filebeat.yml for specific inputs only?
This works:
filebeat.inputs:
- type: log
paths: C:\Windows\System32\LogFiles\Firewall\*.log
pipeline: filebeat-windows-firewall
- type: syslog
protocol.udp:
max_message_size: 25KiB
host: "192.168.1.102:1514"
pipeline: filebeat-pfsense
processors:
- add_observer_metadata:
cache.ttl: 5m
geo:
name: pfsense.domain.lan
location: 41.031833, 3.728900
continent_name: Europe
country_iso_code: BE
region_name: Oost-Vlaanderen
region_iso_code: OVL
city_name: Ghent
processors:
- add_host_metadata:
netinfo.enabled: true
But this does not:
filebeat.inputs:
- type: log
paths: C:\Windows\System32\LogFiles\Firewall\*.log
pipeline: filebeat-windows-firewall
processors:
- add_host_metadata:
netinfo.enabled: true
- type: syslog
protocol.udp:
max_message_size: 25KiB
host: "192.168.1.102:10514"
pipeline: filebeat-pfsense
processors:
- add_observer_metadata:
cache.ttl: 5m
geo:
name: pfsense.domain.lan
location: 41.031833, 3.728900
continent_name: Europe
country_iso_code: BE
region_name: Oost-Vlaanderen
region_iso_code: OVL
city_name: Ghent
As you can see I want the pfsense input to only have the observer fields, while the Windows firewall logs should only have the host fields.
Filebeat is not starting with the last config. It's weird, because I'm doing similar stuff on Winlogbeat where this does seem to work.
Grtz
Willem