Wrong path in logstash output (FileBeat)

I have a problem when taking logs with FileBeat to Logstash, my logs arrive well in a file but the path of log is wrong in the output (It's the default location on an apache server).

Here the config of FileBeat in the client:

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: site1
  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - **/var/log/test.site1.com/access.log**
    #- c:\programdata\elasticsearch\logs\*

And here a snipet of log in Logstash server:

{"ecs":{"version":"8.0.0"},"@timestamp":"2022-11-17T11:08:25.000Z","tags":["beats_input_codec_plain_applied"],"event":{"original":"xxx.xxx.xxx.xxx - - [17/Nov/2022:12:08:25 +0100] \"GET / HTTP/1.1\" 200 10956 \"-\" \"lua-resty-http/0.10 (Lua) ngx_lua/10011\""},"@version":"1","message":"xxx.xxx.xxx.xxx - - [17/Nov/2022:12:08:25 +0100] \"GET / HTTP/1.1\" 200 10956 \"-\" \"lua-resty-http/0.10 (Lua) ngx_lua/10011\"","user":{"service":{"name":"ECS"},"region":"","availability_zone":"eu-west-0b","provider":"huawei","instance":{"id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}},"agent":{"version":"8.5.0","id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","type":"filebeat","ephemeral_id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","name":"VMSite1},"source":{"address":"xxx.xxx.xxx.xxx"},"host":{"hostname":"VMSite1","mac":["xx-xx-xx-xx-xx-xx"],"architecture":"x86_64","id":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","containerized":false,"os":{"type":"linux","platform":"debian","family":"debian","codename":"stretch","kernel":"4.9.0-3-amd64","version":"9 (stretch)","name":"Debian GNU/Linux"},"ip":["xxx.xxx.xxx.xxx","xxxx::xxxx:xxxx:xxxx:xxxx"],"name":"VMSite1"},"log":{"file":{**"path":"/var/log/apache2/access.log"**},"offset":5870032},"timestamp":"17/Nov/2022:12:08:25 +0100","input":{"type":"filestream"},"http":{"request":{"method":"GET"},"response":{"status_code":200,"body":{"bytes":10956}},"version":"1.1"},"url":{"original":"/"},"user_agent":{"original":"lua-resty-http/0.10 (Lua) ngx_lua/10011"}}

As you can see, the logged folder /var/log/test.site1.com/access.log becomes the default path /var/log/apache2/access.log in the output

Is there a possibility in a configuration file to have the right path?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.