Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fields changed for new Beats input in Graylog 3 #5905

Closed
Nklya opened this issue Apr 24, 2019 · 7 comments
Closed

Fields changed for new Beats input in Graylog 3 #5905

Nklya opened this issue Apr 24, 2019 · 7 comments

Comments

@Nklya
Copy link

Nklya commented Apr 24, 2019

Hello.

I've noticed that source field now contain filename instead of host for new Beats input in Graylog 3. I haven't found anything in the changelog.

Expected Behavior

Field source in Beats input contains a hostname

Current Behavior

Field source in Beats input contains a filename

Possible Solution

The previous behavior can be reached by using Beats (deprecated) input.
I think at least it should be documented and added to changelog.

Steps to Reproduce (for bugs)

  1. Install Graylog 3.
  2. Setup filebeat to stream any log to Graylog
  3. Add new input with type Beats
  4. You will receive messages with field source in Beats input contains a filename instead of hostname.

Context

We have many inputs and everywhere field source contains hostname. Now this change will lead to misunderstandings and changes dashboards and alerts.

Your Environment

  • Graylog Version: 3.0.1-2 (also tested 3.0.0)
  • Elasticsearch Version: 6.6.0
  • MongoDB Version: 4.0.2
  • Operating System: Ubuntu 18.04
  • Browser version: Chrome 74.0.3729.108
@mpfz0r
Copy link
Contributor

mpfz0r commented Apr 24, 2019

How did you configure the "add beats prefix" option on the Input?

Refs #5537

@Nklya
Copy link
Author

Nklya commented Apr 24, 2019
edited
Loading

no_beats_prefix: true in the input

@mpfz0r
Copy link
Contributor

mpfz0r commented Apr 24, 2019

That's why I changed this default to false
filebeat uses the source field for the filename since a while now: https://www.elastic.co/guide/en/beats/filebeat/current/migration-changed-fields.html#_the_file_field_was_renamed_to_source

with the prefix, it would would be filebeat_source and not collide with graylogs source field.

@Nklya
Copy link
Author

Nklya commented Apr 24, 2019

Thank you very much 🤗 !

I changed it to false and now everything works as before.

This checkbox in input settings:
image

@Nklya Nklya closed this as completed Apr 24, 2019
@Nklya
Copy link
Author

Nklya commented Apr 24, 2019

In case someone hit the same.

You can avoid this problem by adding this to filebeat.yml without disabling no_beats_prefix 

processors:
- rename:
    fields:
     - from: "source"
       to: "file"

@mpfz0r mpfz0r mentioned this issue Jul 3, 2019
Open
@nix-power
Copy link

Meaning this checkbox should not be checked ?

@mpfz0r
Copy link
Contributor

mpfz0r commented May 10, 2021

Meaning this checkbox should not be checked ?

That's up to you. By default it's not checked, which adds a prefix like winlobeat_ or filebeat_ to ever field.
That prevents the mentioned name collision for the source field.
Alternatively you can rename this field with aforementioned beats config snippet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mpfz0r @nix-power @Nklya