Hello guys,
I noticed that some logs I collect have a field "severity" (ips logs). This is in conflict with the field "severity" which is related to my syslog input : severity of syslog is long and severity of ips logs is string (i.e "high"). This way, my ips log can't be indexed
I didn't found a way to disable all fields related to sysog input : severity, severity label, facility and facility label. Do you know a way to achieve this ? (or a workaround)
Thank you ! 
Remove or rename the offending fields in the filter section.
If renaming fields, consider ECS naming standards
Hey @rugenl ! As syslog severity field and my ips severity log field have the same name, don't you think all will be removed ? How logstash could make the difference ?
Are you sending them to the same input? Same pipeline? Use separate pipelines to process different logs, with appropriate filters for each.
I've got a dedicated pipeline for these logs.
If I remove fields, for example, "severity" and "severity_label" which are produced by syslog input, how logstash will know that he don't have to remove the field "severity" which is produced by ips logs (the message) ?
Solved by removing syslog fields "severity" and "severity_label" before the kv filter
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.