Useragent filter not working as expected after enabling ECS

flalar · March 14, 2023, 12:52pm

We're having trouble with the useragent filter not adding the data to the document sent to Elasticsearch or stdout. Seems this happend after enabling support for ECS. Upgrading from Logstash 7.17.9 to 8.6.2 did not solve the issue either.

Filter is configured likt this

 useragent {
            source => "user_agent_original"           
            add_tag => ["useragent_added"]            
        }

example of the source "user_agent_original":"Mozilla/5.0 (Linux; Android 13; SM-G781B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Mobile Safari/537.36",

The tag "useragent_added" is found in the output, but no traces of the useragent

Any tips on how to debug this?

leandrojmp · March 14, 2023, 1:04pm

What trouble? You need to share logs or some kind of evidence, it is not possible to know what is happening with just that information. What do you have in logstash logs? Any WARN or ERROR logs?

Can you share your output? Also, share your full logstash configuration if possible.

Rios · March 14, 2023, 8:13pm

Your code is OK.

   useragent {
            source => "user_agent_original"
            add_tag => ["useragent_added"]
        }

LS 8.6.2 will produce :

"user_agent" => {
       "os" => {
       "name" => "Android",
       "version" => "13",
       "full" => "Android 13"
        },
       "name" => "Chrome Mobile",
       "device" => {
            "name" => "Samsung SM-G781B"
        },
        "version" => "107.0.0.0"
    }

You can use this notation, and will get full ECS user_agent structure

   useragent {
            source => "[user_agent][original]" # instead of user_agent_original
            target => "user_agent" # the user_agent field name is default and madatory for ECS
            ecs_compatibility => "v8" # v8 is default 
            add_tag => ["useragent_added"]
        }

Will get as full ECS:

    "user_agent" => {
        "original" => "Mozilla/5.0 (Linux; Android 13; SM-G781B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Mobile Safari/537.36",
              "os" => {
               "name" => "Android",
            "version" => "13",
               "full" => "Android 13"
        },
            "name" => "Chrome Mobile",
          "device" => {
            "name" => "Samsung SM-G781B"
        },
         "version" => "107.0.0.0"
    }

With ecs_compatibility => "disabled" , result will be:

    "user_agent" => {
             "patch" => "0",
           "os_full" => "Android 13",
          "original" => "Mozilla/5.0 (Linux; Android 13; SM-G781B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Mobile Safari/537.36",
             "major" => "107",
                "os" => "Android",
             "minor" => "0",
        "os_version" => "13",
          "os_major" => "13",
              "name" => "Chrome Mobile",
           "os_name" => "Android",
           "version" => "107.0.0.0",
            "device" => "Samsung SM-G781B"
    }

system · April 11, 2023, 8:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.