Hi there,
I am using the ECS-Logging for Jaba with filebeat 8.3.3 (Get started | ECS Logging Java Reference [1.x] | Elastic) and i have a strange problem where the log entries are not processed by the filestream of filebeat. When i deactivate the ndjson configuration all logs are processed and i do see all logs in Kibana (in json though). So the issue should be releated with the ndjson configuration. When i add the following log it gets processed correctly:
{"@timestamp":"2022-08-07T11:11:41.644Z", "log.level": "INFO", "message":"Request end: Method:GET URI:/rest/someurl Time:12ms Response:200", "ecs.version": "1.2.0","service.name":"srv-core","event.dataset":"srv-core","process.thread.name":"http-nio-14001-exec-48","log.logger":"com.dualoo.core.config.filter.IncomingRequestFilter","path":"/rest/someurl"}
This one is not processed and i also cant see any error message:
{"@timestamp":"2022-08-07T10:36:41.644Z", "log.level": "INFO", "message":"Request end: Method:GET URI:/rest/someurlTime:12ms Response:200", "ecs.version": "1.2.0","service.name":"srv-core","event.dataset":"srv-core","process.thread.name":"http-nio-14001-exec-48","log.logger":"com.dualoo.core.config.filter.IncomingRequestFilter","path":"/rest/someurl","ip":"some_ip","user":"some_user_id","tenant":"some_tenant_id"}
So it probably has to do with the extra fields in the log entry. But i couldnt find any hint what i can do to ingest these log entries aswell. I also try to change the ndjson settings, but this didnt help. Are these extra fields maybe somehow reserved?
filebeat.yml
- type: filestream
id: filestream-srv-core
enabled: true
paths:
- /var/log/srv-core.log.json
parsers:
- ndjson:
keys_under_root: true
overwrite_keys: true
add_error_key: true
expand_keys: true