Why I am seeing type 1 in my logs from logstash

logstash was configured to receive logs on port 517 and type was defined as "websense". in elasticsearch I am seeing two type values. Logs with value "1" and the other logs with value "websense".

Why I am see type ="1"?

That's of course impossible to say without seeing your configuration. Also, are you seeing current documents with such a type value or is it possible that they're old documents produced when Logstash was misconfigured?

the conf file is as below. I am seeing type field with two vaules "1" and "Forcepoint". The logstash.yml is the defualt and the logs is coming from cef connector and aggregated in the cef connector before coming to logstash:

image

image

Maybe the cef codec under some circumstances sets the type to 1? I'm not familiar with it.

I am getting now only one value "Forcepoint" for type field when I removed the aggregation in the cef connector that feeding the logstash.

Any helpful comments please

I found that I am having _aggregateexception in the tag field for the aggregated logs from cef connector

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.