'source_ip_fieldname' is user customized, please check is has an ECS compatible name

Mahesh_Kumar_S · October 1, 2024, 9:33am

Hello Elastic community,

After migrating to Logstash 8 i have found a new warning message like

[WARN ][logstash.inputs.udp ] 'source_ip_fieldname' is user customized, please check is has an ECS compatible name


    udp{
        port =>514
        type =>syslog
        source_ip_fieldname =>"[@metadata][ip_address]"
    }

How to resolve it? What is the issue here?

Alex_Salgado-Elastic · October 1, 2024, 11:24am

Hi @Mahesh_Kumar_S ,

It is likely that the warning refers to not following the ECS naming conventions. The recommendation from Logstash is to use ECS-compliant field names to ensure that your data is well-structured and can be used consistently across various parts of the Elastic Stack (such as Elasticsearch and Kibana).

You can try using ECS conventions, for example: Source Fields | Elastic Common Schema (ECS) Reference [8.11] | Elastic

For instance, try using source.ip instead of source_ip_fieldname => "[@metadata][ip_address]":



udp {
    port => 514
    type => syslog
    source_ip_fieldname => "[source][ip]"
}

Topic		Replies	Views
Logstash ECS Compatiblity Issues Logstash	6	3108	June 6, 2022
Syslog source ip Logstash	4	3537	October 1, 2020
Persistent ECS warning Logstash	4	351	January 17, 2024
ECS Field Name (Fortigate Dataset) Logstash	4	233	October 20, 2023
ECS expect `target` value Logstash	9	1528	July 30, 2022

'source_ip_fieldname' is user customized, please check is has an ECS compatible name

Related Topics