Unexpected format of ES document generated by FileBeats

Pablo_Albertengo · September 24, 2020, 2:35pm

Hi guys!

I'm starting to test with FileBeats and I can't generate documents in ElasticSearch that suit what I want.

This is my scenario.
I want to send some audit information to ElasticSearch from my Java application.
To do this, I am using the encoder net.logstash.logback.encoder.LogstashEncoder to format the messages to json.

Additionally, I modify the default FileBeats template (fields.yml) for one that has the fields of my interest.

I understand that the template was successfully uploaded to ES

The problem is that instead of generating the document as I expect:

{
  "@timestamp": "2020-09-24T09: 16: 50.957-03: 00",
  "messageType": "rq",
  "operation": "search",
  "operationDt": "2020-09-24 09:16:50",
  "rawMessage": "xmlxml",
  "supplierId": "BAP"
}

FileBeats generates the document like this:

{
  "_index": "filebeat-7.6.2-2020.09.24-000001",
  "_type": "_doc",
  "_id": "OrRKwHQBxk1i8MjjUNrR",
  "_Version 1,
  "_score": 0,
  "_source": {
    "@timestamp": "2020-09-24T13: 25: 27.801Z",
    "host": {
      "containerized": false,
      "name": "nemo-development-1",
      "hostname": "nemo-development-1",
      "architecture": "x86_64",
      "os": {
        "kernel": "4.18.0-25-generic",
        "codename": "cosmic",
        "platform": "ubuntu",
        "version": "18.10 (Cosmic Cuttlefish)",
        "family": "debian",
        "name": "Ubuntu"
      },
      "id": "4590f65319a441daa3312002a2028743"
    },
    "agent": {
      "type": "filebeat",
      "ephemeral_id": "303ee170-25ac-4008-87bb-3e8675d61232",
      "hostname": "nemo-development-1",
      "id": "43e47003-bb81-4651-81d6-2b8cb6c1dce6",
      "version": "7.6.2"
    },
    "container": {
      "id": "2020-09"
    },
    "log": {
      "file": {
        "path": "/home/pricesurferlogs/DEV/suppliers/2020-09/24/files/xmlfiles.log"
      },
      "offset": 0
    },
    "message": "{\" @ timestamp \ ": \" 2020-09-24T09: 16: 50.957-03: 00 \ ", \" @ version \ ": \" 1 \ ", \" logger_name \ ": \ "net.nemogroup.audit.logging.AuditLogger \", \ "thread_name \": \ "main \", \ "level \": \ "TRACE \", \ "level_value \": 5000, \ "LOGS_SUPPLIER \ ": \" / home / pricesurferlogs / DEV / supplier \ ", \" LOGS_HOME \ ": \" / home / pricesurferlogs / DEV \ ", \" messageType \ ": \" rq \ ", \" operation \ ": \ "search \", \ "operationDt \": \ "2020-09-24 09:16:50 \", \ "rawMessage \": \ "xmlxml \", \ "supplierId \": \ "BAP \" } ",
    "input": {
      "type": "log"
    },
    "ecs": {
      "version": "1.4.0"
    }
  }
}

That is, it puts the entire line in the message field.

Do you have any idea what I may be doing wrong?
Thanks in advance,
Pablo

Pablo_Albertengo · September 25, 2020, 12:36pm

I have already solved the problem.
Basically I was missing some configuration in the filebeat.yml file related to decode the log in json format.

The added configuration lines are:

json.keys_under_root: true
json.message_key: log

processors:
- decode_json_fields:
    fields: ["log"]
    target: ""
    overwrite_keys: true

system · October 23, 2020, 2:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat issue with json logs from ES audit Beats filebeat	1	439	March 16, 2022
Some paragraphs of document missing in ES index Beats filebeat	5	415	June 29, 2018
Filebeat does not create index template Beats filebeat	11	3223	August 31, 2020
Json format and types Beats filebeat	3	3055	August 9, 2018
Filebeat 6.2.1 and logstash 6.2.1 and doc type Logstash	2	500	April 7, 2018

Unexpected format of ES document generated by FileBeats

Related topics