I'm very new to filebeat and I'm trying to import logs created by my application (PHP - symfony). The application uses monolog and ECS formatter to write to a log file.
It "works" but I'm sure Im missing something. When I was not using ndjson parser the logs where arriving at ELK not interpreted, the whole log would be "message", no log level, no context and etc.
By using ndjson parser it started to properly separate the message from the context but is it necessary if I'm already using ECS formatter? Should I use a different processor?
And when using ndjson with the configuration above the timestamp is not being overwritten.
And when using Log instead of filestream timestamp is also not overwritten
Here is my test file First note you have a field error with just a text field that will need to be error.message because the ECS fielderror is an object not just a single concrete field. so it should be error.message or change it to a non ECS field error_message but error.message is a bit better IMHO
Here is my filebeat.yml applicable section, all that is needed...
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /Users/sbrown/workspace/sample-data/filebeat-json/simple_test2_json.json
json.keys_under_root: true
json.overwrite_keys: true
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.