Record originating IP of filebeats


(Ruben Laban) #1

I currently have a fairly simple setup consisting of running several filebeat instances on various hosts, talking to a central logstash instance, which in turn talks to a ES cluster (6 nodes total, 1 also runs logstash).

Currently I only see the hostname of the hosts running filebeat, but I'd like to see the IP as well. Now I know that the hostname is sent by filebeat itself, and I'd prefer the IP address to be based on what logstash sees. Is this currently possible somehow? Otherwise I'd have to "hardcode" the IP addresses into filebeat configs (using puppet or whatever), but that'd less ideal.


How to get IP of machine in output?
(Magnus B├Ąck) #2

Using the dns filter isn't an option?


(Ruben Laban) #3

I don't think so, no. As I don't have any FQDN's in the incoming data. If filebeat would send the FQDN, then that'd be a start. I could add it as a custom field (same for the IP), but I prefer to keep my filebeats' configs as simple and generic as possible.


(Asktomsk) #4

This is very important feature for me too. I think it should be very common to have a public IP of log sender (e.g. filebeat) in the index. Embedded "host" variable is actually providing by filebeat and usually contains private host name.
There are some thoughts here: http://stackoverflow.com/questions/26971079/getting-ip-address-of-logstash-forwarder-machine
But I can't figure out how to use it.


(system) #5