'source_ip_fieldname' is user customized, please check is has an ECS compatible name

Mahesh_Kumar_S · October 1, 2024, 9:33am

Hello Elastic community,

After migrating to Logstash 8 i have found a new warning message like

[WARN ][logstash.inputs.udp ] 'source_ip_fieldname' is user customized, please check is has an ECS compatible name


    udp{
        port =>514
        type =>syslog
        source_ip_fieldname =>"[@metadata][ip_address]"
    }

How to resolve it? What is the issue here?

Alex_Salgado-Elastic · October 1, 2024, 11:24am

Hi @Mahesh_Kumar_S ,

It is likely that the warning refers to not following the ECS naming conventions. The recommendation from Logstash is to use ECS-compliant field names to ensure that your data is well-structured and can be used consistently across various parts of the Elastic Stack (such as Elasticsearch and Kibana).

You can try using ECS conventions, for example: Source Fields | Elastic Common Schema (ECS) Reference [8.11] | Elastic

For instance, try using source.ip instead of source_ip_fieldname => "[@metadata][ip_address]":



udp {
    port => 514
    type => syslog
    source_ip_fieldname => "[source][ip]"
}

Topic		Replies	Views
Support for source_ip_fieldname in all network input plugins Logstash	1	836	January 18, 2019
Logstash parsing ECS Logstash ecs-elastic-common-schema	5	632	September 29, 2020
Parsing Mapping and finding the right ECS fields for logs in general Logstash ecs-elastic-common-schema	2	754	March 2, 2021
Syslog source ip Logstash	4	3561	October 1, 2020
Persistent ECS warning Logstash	4	416	January 17, 2024

'source_ip_fieldname' is user customized, please check is has an ECS compatible name

Related topics