We've noticed while using filebeat to process logs from Cloudtrail that for some reason the processor looks at the previous S3 object and are unsure of the reasoning behind it:
- rename:
field: "json.previousDigestS3Object"
target_field: "file.path"
ignore_failure: true
This is a bit counter-intuitive, as we initially thought that a field called file.path would contain the name of the current file instead of the previous file? Or is there something we are missing?
Hi @styks90 thanks for bringing this up! It does seem to be a bug to me. It should be looking at json/digestS3Object field instead. Do you mind creating a github issue in Beats repo or integrations repo for this? TIA!!
Hi @Kaiyan_Sheng , here's the link to the issue: Filebeat ingest processor for CloudTrail maps previous digest object · Issue #32609 · elastic/beats · GitHub, looks like it reached the right team already.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.