Want FIleBeat client IP not hostname

I am reading logs from FIleBeat > Logstash > ElasticSearch

I am only able to capture FileBeat client systems hostname, but I want IP address not hostname. Unable to find working solution in this forum and internet.

Please help

1 Like

Check related issue on logstash-input-beats repo: https://github.com/logstash-plugins/logstash-input-beats/issues/180

I am using v5.5, Now i added these lines.

mutate {
add_field => { "remote_ip" => "%{[@metadata][ip_address]}" }
}

but didnt worked, or do i need to modify beats.rb & message_listener.rb etc

do i need to install some plugins etc

Please provide sample code that would help

The change is not included in 5.5.
Please read this comment for more details: https://github.com/logstash-plugins/logstash-input-beats/issues/180#issuecomment-315112280

Thanks Steffen, I have downloaded and tried to install plugin in many ways but unable to install it.

D:\UAT\logstash550\bin>logstash-plugin install --version "4.0.3" logstash-input-beats-master.zip
ERROR: Something went wrong when installing logstash-input-beats-master.zip, message: certificate verify failed

D:\UAT\logstash550\bin>logstash-plugin install --version "4.0.3" logstash-input-beats-master
ERROR: Something went wrong when installing logstash-input-beats-master, message: certificate verify failed

D:\UAT\logstash550\bin>logstash-plugin install --version "4.0.3" file:///d:/uat/logstash550/bin/logstash-input-beats-master.zip
Installing file: /d:/uat/logstash550/bin/logstash-input-beats-master.zip
ERROR: Invalid pack for: file:///d:/uat/logstash550/bin/logstash-input-beats-master.zip, reason: The pack must contains at least one plugin, message: The p
ack must contains at least one plugin

D:\UAT\logstash550\bin>logstash-plugin install --version "4.0.3" file:///d:/uat/logstash550/bin/logstash-input-beats-master
ERROR: Invalid pack for: file:///d:/uat/logstash550/bin/logstash-input-beats-master, reason: Invalid format, the pack must be in zip format, message: Inval
id format, the pack must be in zip format

D:\UAT\logstash550\bin>logstash-plugin install file:///d:/uat/logstash550/bin/logstash-input-beats-master.zip
Installing file: /d:/uat/logstash550/bin/logstash-input-beats-master.zip
ERROR: Invalid pack for: file:///d:/uat/logstash550/bin/logstash-input-beats-master.zip, reason: The pack must contains at least one plugin, message: The p
ack must contains at least one plugin

Another way is to send the IP address by mentioning it on filebeat conf itself , same can be done as below. By this you need to define the IP to the conf file manually while writing the filebeat yml.

https://www.elastic.co/guide/en/beats/filebeat/current/configuration-general.html#libbeat-configuration-fields

Thanks Prashant, I will not be able to hard code it in conf file, as we have approx 100+ servers.

I have no idea about dealing with conflicts when updating logstash plugins. Please check the logstash forum. I think logstash is using rubygems for download via HTTPS (which might be the reason for the certificate error).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.