Want FIleBeat client IP not hostname


(hasaN khaN) #1

I am reading logs from FIleBeat > Logstash > ElasticSearch

I am only able to capture FileBeat client systems hostname, but I want IP address not hostname. Unable to find working solution in this forum and internet.

Please help


(Steffen Siering) #2

Check related issue on logstash-input-beats repo: https://github.com/logstash-plugins/logstash-input-beats/issues/180


(hasaN khaN) #3

I am using v5.5, Now i added these lines.

mutate {
add_field => { "remote_ip" => "%{[@metadata][ip_address]}" }
}

but didnt worked, or do i need to modify beats.rb & message_listener.rb etc

do i need to install some plugins etc

Please provide sample code that would help


(Steffen Siering) #4

The change is not included in 5.5.
Please read this comment for more details: https://github.com/logstash-plugins/logstash-input-beats/issues/180#issuecomment-315112280


(hasaN khaN) #5

Thanks Steffen, I have downloaded and tried to install plugin in many ways but unable to install it.

D:\UAT\logstash550\bin>logstash-plugin install --version "4.0.3" logstash-input-beats-master.zip
ERROR: Something went wrong when installing logstash-input-beats-master.zip, message: certificate verify failed

D:\UAT\logstash550\bin>logstash-plugin install --version "4.0.3" logstash-input-beats-master
ERROR: Something went wrong when installing logstash-input-beats-master, message: certificate verify failed

D:\UAT\logstash550\bin>logstash-plugin install --version "4.0.3" file:///d:/uat/logstash550/bin/logstash-input-beats-master.zip
Installing file: /d:/uat/logstash550/bin/logstash-input-beats-master.zip
ERROR: Invalid pack for: file:///d:/uat/logstash550/bin/logstash-input-beats-master.zip, reason: The pack must contains at least one plugin, message: The p
ack must contains at least one plugin

D:\UAT\logstash550\bin>logstash-plugin install --version "4.0.3" file:///d:/uat/logstash550/bin/logstash-input-beats-master
ERROR: Invalid pack for: file:///d:/uat/logstash550/bin/logstash-input-beats-master, reason: Invalid format, the pack must be in zip format, message: Inval
id format, the pack must be in zip format

D:\UAT\logstash550\bin>logstash-plugin install file:///d:/uat/logstash550/bin/logstash-input-beats-master.zip
Installing file: /d:/uat/logstash550/bin/logstash-input-beats-master.zip
ERROR: Invalid pack for: file:///d:/uat/logstash550/bin/logstash-input-beats-master.zip, reason: The pack must contains at least one plugin, message: The p
ack must contains at least one plugin

(Prashant Agrawal) #6

Another way is to send the IP address by mentioning it on filebeat conf itself , same can be done as below. By this you need to define the IP to the conf file manually while writing the filebeat yml.

https://www.elastic.co/guide/en/beats/filebeat/current/configuration-general.html#libbeat-configuration-fields


(hasaN khaN) #7

Thanks Prashant, I will not be able to hard code it in conf file, as we have approx 100+ servers.


(Steffen Siering) #8

I have no idea about dealing with conflicts when updating logstash plugins. Please check the logstash forum. I think logstash is using rubygems for download via HTTPS (which might be the reason for the certificate error).


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.